Apple Apologizes, Patching Security Hole That Lets Anyone Log on to Any Mac: ‘Our Customers Deserve Better’
Less than 24 hours after the discovery of a major security flaw that allowed every Mac running macOS High Sierra to be accessed without a password, Apple has issued a patch to resolve the issue, as well as an apology.
The vulnerability, which let users unlock Macs with the username “root” and a blank password, was revealed midday Tuesday. Apple’s software update became available Wednesday morning. According to the company, it will be automatically downloaded to effected computers later on Wednesday.
Here is Apple’s statement on the critical security issue:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
The flaw was revealed in a Twitter post by Lemi Orhan Ergin Tuesday:
Apple (AAPL) initially responded to Ergin an hour later, via Twitter. In a statement to Fortune on Tuesday afternoon, an Apple spokesperson said the company was working on a software update to address the flaw.
The macOS “root” user account is a system administrator or “superuser” profile used for unlocking and changing files that are typically protected by the operating system.
This is not the first password flaw associated with macOS High Sierra. The operating system launched with a bug that would allow hackers to access user passwords in the system’s Keychain, a software vault designed to store login information. That vulnerability was patched shortly after the operating system launched in September 2017.