Apple has rushed out a fix for MacOS 10.13 following an alert over an easy-to-exploit security flaw that enables attackers to easily gain root access without even requiring a password.
The fix, 'Security Update 2017-001', is available to download from the Mac App Store now, and promises to plug the easy-to-exploit flaw - Mac users have been urged to upgrade as a matter of priority.
Apple has detailed the content of the update over on its Support website.
In a statement, Apple admitted that it had "stumbled with this release of MacOS".
It continued: "When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
"We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are authoring our development process to help prevent this from happening again."
The flaw, in MacOS version 10.3 or 'High Sierra', lets anyone gain admin rights on a MacOS machine by typing "root" as the username in the authentication dialogue box, leaving the password fielding blank and clicking on the "unlock" button twice.
This essentially means that if a user leaves their Mac unattended, anybody could simply log-on to their machine, install malware, deletw their Apple ID, look up passwords on the keychain access or even disable FileVault - pretty much anything they like.
Turkish developer Lemi Orhan Ergan outed the flaw on Twitter on Tuesday (below) but has since received criticism for the "irresponsible" way in which he did so.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The bug was quietly discussed on Apple's developer forums two weeks ago, but no one seemed to notice at the time, including Apple.
In a statement, the company said that it's "working on a software update to address this issue". Until then, the firm has offered up a temporary workaround that requires setting up a root password.
"In the meantime, setting a root password prevents unauthorized access to your Mac," an Apple spokesperson said.
"To enable the Root User and set a password, please follow the instructions here: https://support.apple.
In a statement, Tyler Moffitt, senior threat research analyst at Webroot described the flaw as "devastating", but noted that things could have been a lot worse.
He said: "This is a very surprising bug that evaded the quality control on MacOS High Sierra. Apparently, this also works on FileVault in the MacOS which makes this bug quite devastating.
"The good news is that as of right now, there is not any mention of malware that leverages this security flaw.
"We can expect Apple to quickly release a fix for this vulnerability. In the meantime, impacted users with admin access should type the following command from the terminal: ‘$ sudo passwd root'. After typing the command, the user should enter his/her password then create a new password for the root user."
Banks, law firms and financial software suppliers in the UK, US and Russia targeted
Rolls-Royce chief digital officer Neil Crockett plans to use big data for efficiency and profit
Tackling security and global connectivity in logistics
AMD's Ryzen roadmap on track