Critical Security Update for macOS High Sierra Released to Fix Root Bug, Download & Install Now

Nov 29, 2017 - 13 Comments

Security Update for macOS High Sierra root password bug

Apple has issued a critical security update for macOS High Sierra to address the root login bug which allows anyone to login to macOS High Sierra without a password.

All macOS High Sierra users should install the security update as soon as possible to protect their Mac, even if they have already used the root login fix detailed here. This is perhaps the most urgent Security Update for macOS High Sierra system software released yet, as it will patch the security hole completely.


The software update is labeled as “Security Update 2017-001” and is exclusive to macOS High Sierra. The brief notes attached to the App Store download say “Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”

How to Install macOS High Sierra Security Update 2017-001

  1. Go to the  Apple menu and choose “App Store”
  2. Click the “Updates” tab
  3. When you see “Security Update – Install this update as soon as possible. Security Update 2017-001” available, click on the “Update” button

Security Update for macOS High Sierra fixes root password login bug

The security update, which seems to apply to the “Directory Utility” application in macOS, does not require the Mac to reboot for changes to take effect.

macOS High Sierra Security Update 2017-001 Release Notes

The download notes are brief (“Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”), but Apple details the bug and release notes for the security patch a big more here on a support page:

Security Update 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier 

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

If you require the root user account on your Mac, you can enable the root user and change the root user’s password.

Confirming the Security Update Applied to a Mac

Note that while you can download the software update yourself, Apple is reportedly going to start automatically pushing the download to macOS High Sierra machines later.

The simplest way to confirm that Security Update 2017-001 has been applied to a particular Macintosh running macOS High Sierra is to check the Mac OS build number on the computer.

  1. Pull down the  APPLE menu and choose “About This Mac”
  2. Click on the text that says “Version” directly under the “macOS High Sierra” banner
  3. The build number will appear next to the version, if it says “(17B1002)” then the security update has successfully installed

Check to get build number of macOS High Sierra

In the example screenshot, the build version of macOS High Sierra is older than 17B1002, and thus the security patch has not yet been installed.

You can also check the build number of a Mac OS release by using Terminal and the following command syntax:

sw_vers

According to tweets posted by TechCrunch reporter Mathew Panzarino, Apple has released the following statement about the security flaw and the macOS High Sierra security update:

“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS”

“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

Note Apple specifically says the update is available to download now, and “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra).” This seems to imply that Apple will use the automated security update mechanism available through the Mac App Store to try and push the critical security update onto customers.

It is strongly recommended to install the security software update onto any Macintosh running macOS High Sierra as soon as possible.

A direct download link for macOs High Sierra Security Update 2017-001 is not yet available, but should appear here once it shows up.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Mac OS X, News, Security, Tips & Tricks

13 Comments

» Comments RSS Feed

  1. Jeff says:

    Fixed one thing… and broke file sharing authentication. Too bad they rushed it.

  2. TD says:

    This is ridiculous. Heads should roll at Apple. They have really lost sight of the importance of quality control. It seems all they really care about is making the laptops and phones thinner. Who cares if it weighs 1 oz less or if it is 10 mm instead of 11 mm thick?

    I have a 2017 MacBook Pro and it constantly overheats and then crashes since there is very little airflow inside. The fans do not run fast enough unless I install a 3rd party fan control app. Same thing for my 2017 iMac.

    Apple should focus on quality and simplicity. What happened to step 1, step 2 there is not step 3?

  3. MSterling says:

    No update yet for beta 10.13.2. Latest v5 (17C83a) has same problem. I would expect v6 to be out fast.

  4. Whirlwound says:

    I’ve just installed the update soon as I got back from work, but the About dialog doesn’t show anything at all after the version number. Confirmed via Terminal though.

    • Paul says:

      You have to click on the “Version” text at “About this Mac” for the build number to show. It’s very hidden. But, if Terminal has confirmed then you are good to go.

  5. Sylvio says:

    “An error occured installing macOS. To use Apple Diagnostics to check your Mac hardware, shut down, press the power button, and immediately hold the ‘D’ key until Diagnostics begins.
    Quit the installer to restart your computer and try again.”

    I’ve tried 5 times and I can not get anything. every time you restart it tries to install and can not.
    😡😡😡😡😡😡

    • Neron says:

      You are getting this error about installing macOS after updating with the root patch? That’s strange, it should not require a reboot or impact the OS much.

      Perhaps roll back with a Time Machine backup and try again?

  6. david watts says:

    … it’s Thursday morning, 9:38 AST, but no indication on App Store of an update yet. Any idea from anyone when this fix was made available?

  7. Derek Jones says:

    Just updated, took a long time, Build no on mine is 17B1003. I assume that is the latest build.

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Recent Posts