Critical Security Update for macOS High Sierra Released to Fix Root Bug, Download & Install Now
Apple has issued a critical security update for macOS High Sierra to address the root login bug which allows anyone to login to macOS High Sierra without a password.
All macOS High Sierra users should install the security update as soon as possible to protect their Mac, even if they have already used the root login fix detailed here. This is perhaps the most urgent Security Update for macOS High Sierra system software released yet, as it will patch the security hole completely.
The software update is labeled as “Security Update 2017-001” and is exclusive to macOS High Sierra. The brief notes attached to the App Store download say “Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”
How to Install macOS High Sierra Security Update 2017-001
- Go to the Apple menu and choose “App Store”
- Click the “Updates” tab
- When you see “Security Update – Install this update as soon as possible. Security Update 2017-001” available, click on the “Update” button
The security update, which seems to apply to the “Directory Utility” application in macOS, does not require the Mac to reboot for changes to take effect.
macOS High Sierra Security Update 2017-001 Release Notes
The download notes are brief (“Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”), but Apple details the bug and release notes for the security patch a big more here on a support page:
Security Update 2017-001
Released November 29, 2017
Directory Utility
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, you can enable the root user and change the root user’s password.
Confirming the Security Update Applied to a Mac
Note that while you can download the software update yourself, Apple is reportedly going to start automatically pushing the download to macOS High Sierra machines later.
The simplest way to confirm that Security Update 2017-001 has been applied to a particular Macintosh running macOS High Sierra is to check the Mac OS build number on the computer.
- Pull down the APPLE menu and choose “About This Mac”
- Click on the text that says “Version” directly under the “macOS High Sierra” banner
- The build number will appear next to the version, if it says “(17B1002)” then the security update has successfully installed
In the example screenshot, the build version of macOS High Sierra is older than 17B1002, and thus the security patch has not yet been installed.
You can also check the build number of a Mac OS release by using Terminal and the following command syntax:
sw_vers
According to tweets posted by TechCrunch reporter Mathew Panzarino, Apple has released the following statement about the security flaw and the macOS High Sierra security update:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS”
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
Note Apple specifically says the update is available to download now, and “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra).” This seems to imply that Apple will use the automated security update mechanism available through the Mac App Store to try and push the critical security update onto customers.
It is strongly recommended to install the security software update onto any Macintosh running macOS High Sierra as soon as possible.
A direct download link for macOs High Sierra Security Update 2017-001 is not yet available, but should appear here once it shows up.
Just updated, took a long time, Build no on mine is 17B1003. I assume that is the latest build.
… it’s Thursday morning, 9:38 AST, but no indication on App Store of an update yet. Any idea from anyone when this fix was made available?
“An error occured installing macOS. To use Apple Diagnostics to check your Mac hardware, shut down, press the power button, and immediately hold the ‘D’ key until Diagnostics begins.
Quit the installer to restart your computer and try again.”
I’ve tried 5 times and I can not get anything. every time you restart it tries to install and can not.
😡😡😡😡😡😡
You are getting this error about installing macOS after updating with the root patch? That’s strange, it should not require a reboot or impact the OS much.
Perhaps roll back with a Time Machine backup and try again?
I’ve just installed the update soon as I got back from work, but the About dialog doesn’t show anything at all after the version number. Confirmed via Terminal though.
You have to click on the “Version” text at “About this Mac” for the build number to show. It’s very hidden. But, if Terminal has confirmed then you are good to go.
No update yet for beta 10.13.2. Latest v5 (17C83a) has same problem. I would expect v6 to be out fast.
This is ridiculous. Heads should roll at Apple. They have really lost sight of the importance of quality control. It seems all they really care about is making the laptops and phones thinner. Who cares if it weighs 1 oz less or if it is 10 mm instead of 11 mm thick?
I have a 2017 MacBook Pro and it constantly overheats and then crashes since there is very little airflow inside. The fans do not run fast enough unless I install a 3rd party fan control app. Same thing for my 2017 iMac.
Apple should focus on quality and simplicity. What happened to step 1, step 2 there is not step 3?
Fixed one thing… and broke file sharing authentication. Too bad they rushed it.
Just came here to add the same experience: can’t log in and see shared folders with my account from another mac.
Seems like a new update is necessary.
Apple’s patch for file sharing:
https://support.apple.com/en-us/HT208317
Many users have reported file sharing has stopped working after installing the bug patch, Apple directions will resolve the problem and we are have discussed it here as well:
https://osxdaily.com/2017/11/29/fix-file-sharing-macos-high-sierra-security-update/
From Apple’s support site to fix file sharing:
If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing:
1. Open the Terminal app
2. Type sudo /usr/libexec/configureLocalKDC and press Return.
3. Enter your administrator password and press Return.
4. Quit the Terminal app.