Connect with us

Hi, what are you looking for?


Identity & Access

Apple Patches Critical Root Access Flaw in macOS

Apple has released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.

Apple has released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.

The flaw was first mentioned on Apple developer forums on November 13 by a user who had been trying to help others solve a macOS issue related to all their admin accounts being turned into regular accounts after updating to High Sierra. However, Apple apparently only learned of it on Tuesday after a Turkish web developer sent a tweet to Apple Support and the press started covering the issue.

Within 24 hours of the tweet, Apple announced that a security update for High Sierra 10.13.1 addresses the vulnerability, which the company tracks as CVE-2017-13872.

Apple has described the flaw as a logic error in the validation of credentials. “An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company said in its advisory.

According to the tech giant, the vulnerability does not affect macOS Sierra 10.12.6 and earlier versions of the operating system.

CVE-2017-13872 can be easily exploited. Access “System Preferences” from the Apple menu and click on any of the categories that require administrator privileges in order to make changes (e.g. Security & Privacy, Users & Groups, Parental Controls). Then click on the lock icon in the bottom left corner of the window and enter the username “root” with any password when prompted. The Enter key or the Unlock button must be hit twice.

Initial reports suggested that the exploit worked by entering the username “root” with a blank password. However, researcher Tom Ervin clarified that the attack works with any password. The password entered becomes the password for the root account, and if the field is left blank there will be no password on the root account.

Advertisement. Scroll to continue reading.

It’s worth noting that the attack is possible only if the root account has not been enabled and a password has not been set for it – Apple has deactivated the root account by default.

Experts pointed out that the attack can be executed remotely if sharing services are enabled. Ervin has published a video showing how to conduct a remote attack:

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...