Lemi Orhan Ergin did not give Apple any forewarning when he publicly revealed the massive macOS root bug on Twitter. He basically exposed a zero-day vulnerability for hackers to use, while Apple rushed on a bug fix. The good news is Apple just issued the root bug fix in Security Update 2017-001.
This is really fast work, but it also showed their sloppiness. Hopefully, the bug fix does not introduce additional bugs!
macOS Security Update 2017-001
Apple released macOS Security Update 2017-001 just a day after the macOS root bug was revealed. They also gave us more information on the bug that caused so much ruckus around the world (and rightly so).
- The bug only affected macOS High Sierra 10.13.1.
- The bug did not affect computers running macOS Sierra 10.12.6 or earlier.
- They confirmed that it allowed an attacker to “bypass administrator authentication without supplying the administrator’s password“.
You can get more details on the root bug in our dedicated article – The macOS High Sierra Root Bug Explained!
How Do I Download The Root Bug Fix?
The macOS root bug fix is now available for download via the App Store. If it doesn’t appear yet, just click on the Updates icon to refresh.
Please note that this bug fix will reset and disable the root user account. If you need to use the root user account, you will need to re-enable it, and change its password, after applying the update.
Terminal Users, Watch Out!
If you’re using Terminal to update though, you may face some complications due to Apple’s sloppiness. Chai discovered that Apple accidentally used a space instead of the version number.
This is not an issue if you are downloading the patch through the App Store. But if you’re applying the patch via Terminal, you need to add a space.