Developers Apple released a fix for the vulnerability in macOS High Sierra, which allows you to get administrator rights without entering a password. Security Update 2017-001 began to spread through the Mac App Store the previous evening.
Some users have discovered a bug with root access long before the Turkish expert LeMy Orhan wrote about it. On the support forums for Apple, he mentioned it a few weeks ago. The author of the report was very surprised that the method described by him generally works. To enter the administrator account, it was enough to specify the root user name, leave the password entry field empty and press the enter button several times (to the finish, without paying attention to errors). Vulnerability can also be exploited remotely.
The problem is observed only in new versions of the OS. The fix is available for MacOS High Sierra 10.13.1, but not for macOS High Sierra 10.13.2 Beta. Developers and beta testers can be protected by setting a strong password for the root user.
Apple patched a security hole in the operating system in less than a day, but the upgrade was clearly prepared in a hurry. After installing the update, some users stopped sharing folders. However, the company quickly reacted to the problem and presented a solution:
Open the Terminal application
Type sudo / usr / libexec / configureLocalKDC on the command line
Enter the administrator password for confirmation