Apple Fixed a Serious Flaw in MacOS High Sierra

On the last week of November, Apple was informed of a flaw in MacOS High Sierra. Devices running High Sierra version 10.13.1 allows any person with physical access to the device to login as a root user even without a password. This flaw does not affect devices running MacOS Sierra 10.12.6 and earlier versions.

A Turkish software developer named Lemi Orhan Ergin discovered the vulnerability and disclosed it on Twitter – tweeting AppleSupport. He found out that he was able to login to a Mac with the latest version of High Sierra as its operating system using the username ‘root’ only. No password needed. Just click login several times and the system will allow the unauthenticated access.

In 24 hours of seeing the tweet, Apple fixed the High Sierra vulnerability with a patch that is available as an app on the App Store. The flaw is a logic error in the validation of credentials tracked as CVE-2017-13872. Local users can exploit this flaw, but remote exploitation is possible as well when the device is infected by malware. When a remote user gains access to the network with screen sharing enabled, he can exploit the vulnerability and gain root privileges.

Apple apologized to all Mac users for the error and the problem it has caused. The company is reviewing their development processes to make sure this doesn’t happen again. Apple urged Mac users to get Security Update 2017-001 as soon as possible.

To apply the patch, here are the steps:

1.       Open the Terminal app in the Utilities folder of the Applications folder.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

2.       Type: what /usr/libexec/opendirectoryd and press Return.

3.       If you see one of the project version numbers below, the Security Update 2017-001 was installed successfully.
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/