ALERT!! – Major Security Flaw Discovered in Mac OS X High Sierra (10.13.x)

  I was originally going to blog with instructions on creating a macOS X High Sierra boot USB with utility partition but decided to blog instead of the MAJOR security flaw that was discovered in Mac OSX High Sierra (10.13.x).  If you have not enabled and set a password to your root account, someone may authenticate as the root user without providing a password. 

 Additionally If you have the Login Option ‘Display login window as: Name and password’ selected an unauthorized person may be able to bypass the lock screen, logging into your system as the ‘root’ user!  To make this even more scary, once the exploit has been sued, it leaves the root user enabled (If it was previously disabled), with no password assigned.  Leavening the system open to future attacks both at the computer and possibly remotely.

  Apple released an update November 30^th, that should have already installed with no user intervention required.   If for whatever reason you are not able to install the patch for this security flaw, you may temporarily secure your system by enabling the root account and assigning a strong password (See below for instructions.)

  There is a caveat you should be ware of.

  As the security patch affects ALL versions of High Sierra, the security patch will be installed even if you are still running macOS X 10.13, when you update to 10.13.1, the patch will be removed and your system will be vulnerable again.

To verify you have the patch installed.

Open your terminal.app
At your shell prompt type

$ what /usr/libexec/opendirectoryd

If you see the following output you have the security patch installed.PROGRAM:opendirectoryd

PROJECT:opendirectoryd-483.20.7 <FOR OSX 10.13.2>
PROJECT:opendirectoryd-483.1.5 <FOR OSX 10.13>

  Another thing to be aware of, the security patch will disable the root user account, if it was enabled prior to the patch you will need to re-enable it.  I find it to be ironic that one of the things the patch does is disable the one thing that prevented this flaw to begin with, having the root account enabled with a password set.

To Enable/Re-Enable Root User

• System Preferences > Users & Groups.
• Click the lock icon and authenticate as a privileged user.
• Click the ‘Login Options’ button.
• Click the ‘Edit…’ button to the right of Network Account Server:
• Click Open Directory Utility.
• Click the lock icon and authenticate as a privileged user.
• Click Edit > Enable Root User.
• Enter a strong password.
  1. 8-15 Characters
  2. Containing at least 1 capital letter.
  3. Containing at least 1 numeric character.
  4. Containing at least 1 special character.
  5. Do not use names, birthdays, or dates/places of special events.
• Close the windows that were opened.

Hopefully this patch will be included in the 10.13.2 update whenever it comes out!

If you have any comments or questions about this blog or macOS X in general please stop by our forums at www.catracing.org/forum.

Thanks for following Brent’s World!