Apple has solved a serious security flaw in macOS High Sierra, the latest version of the operating system for Macs, which made it possible to obtain device administration rights without requiring a password. The problem affected only the 10.13.1 edition of macOS, while it did not affect all previous versions, and exposed user data to the possibility of being stolen by anyone with physical access to the computer. The update that fixes the problem can be downloaded from the App Store.
The reports had arrived yesterday afternoon on Twitter, and had been confirmed by Apple: in less than 24 hours the company solved the problem. In the past, Apple had been criticized for reacting too slowly in fixing security problems (which were less serious).
Due to the flaw, computers that are not updated can authenticate themselves as an “administrator system ”and you have all the necessary privileges to view files and change the passwords of other users registered on that device. You can also remove email addresses linked to Apple accounts and modify other sensitive data: again, not remotely but only by having physical access to the computer.
The procedure used to access the administration systems it was incredibly simple, and for this reason it could be exploited by malicious users in the last few days.
Until an update was released, the advice was to set an additional level of security on your Mac with a root password . Thanks to the update made available by Apple it is no longer strictly necessary. The company also released a statement explaining how things went:
Security is a top priority for every Apple product and sadly we stumbled upon this version of macOS.
When our security engineers became aware of the problem on Tuesday afternoon, we immediately began work on an update that closed the security flaw. This morning, starting at 8:00 am, the update is available for download and, starting later in the day, it will automatically install on all systems with the latest version (10.13.1) of macOS High Sierra.
We are very sorry for this error and apologize to all Mac users, both for the release with this vulnerability due to both the concern it caused. Our customers deserve better. We are doing a review of our development processes to prevent this from happening again.
