Security Article

Vulnerability in Mac OSX High Sierra 10.13 and Greater

Update: Apple released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password. The update was automatically installed on all systems running the latest version (10.13.1) or greater of Mac OS High Sierra. For more information, please click here.

A security flaw has been detected in Mac operating systems (OSX) High Sierra 10.13 and greater.  This vulnerability allows anyone to login to a Mac device and change administrative settings by typing in the username "root" with no password.

Current Solution:
  • Apple is working on a permanent software fix for the issue. Until further notice, Apple has issued the following statement: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Systems at Risk:

Currently, this vulnerability is only detected in users with a Mac OS that has been upgraded to High Sierra 10.13 or greater.

  • Systems with local console access, such as shared usage computers in teaching or lab environments, where users of shared computers are not privileged with root access.
  • Systems with Apple Remote Desktop (ARD) enabled.
Systems Not at Risk:
  • Mac OS's prior to High Sierra 10.13 or greater.
  • Systems using SSH (Secure Shell).
Recommended Actions:

The following are recommended actions for those Mas OSX High Sierra 10.13 or greater users:

  • A possible fix is to create a root account, then set a password and leave it enabled. Instructions can be found here:
  • If you do not have the latest Mac OS, do not upgrade to High Sierra 10.13 or greater until a patch is made available.

More Information: