Apple issued a patch Wednesday to fix a major flaw that allowed people to gain deep access to computers running its latest operating system without the need for log-in credentials.
Reports of the flaw began circulating Tuesday after security researchers found the vulnerability. The researchers reported it was possible to gain access to a Mac — and its core settings — without having to use its owner's username and password. Instead, a potential hacker could type “root” into the username field of key settings in the system preferences menu without entering the password.
Practically speaking, a hacker would need either physical access or remote access to a Mac to do damage. Many security researchers said this was a glaring oversight that Apple should have caught, particularly given its reputation for high standards and a reputation (rightfully or not) for better security than PCs.
Apple issued a statement Wednesday apologizing for the flaw.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” Apple said in the statement. “When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.”
The company went on to say it is reviewing its processes to avoid future mistakes. “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
Apple has had a couple of recent and notable flaws with its software, including one last year that allowed hackers to use Siri to bypass iPhone lock screens to view contacts and photos. The firm was also slower than Google to address a widespread security problem caused by WiFi connections in July.
To access the latest update, users should open the App Store on their Macs, which can be found under the Apple menu. From there, click on the “Updates” icon in the toolbar and look for the phrase “Security Update.”
After installing the update, a Mac we tested that had previously been vulnerable to the bug was no longer affected.