How to fix the massive macOS root security bug

How to fix the massive macOS root security bug

Although Apple does run a bug bounty program, offering rewards of up to US$200,000, it's invitation only unlike the wide open programs run by Microsoft, Google and others. The good news is that it's simple to patch this hole right now, without waiting for a software update from Apple.

Once someone has root access, there's basically no limitations to what they can do.

That's the bad news.

More news: Federal judge: USA military must accept trans recruits in January

This is a critical bug that allows anyone on a Mac to log in and change the admin settings - using just the username "root" with no password. For affected machines, a person can login to the administrator account by simply entering "root" as the username with no password.

The level of unbridled access this security hole permits - and it abruptly being made public - will nearly certainly prompt Apple to move fast in releasing an update for its Mac operating system. One Twitter user confirmed that the vulnerability works over a piece of software called VNC, or even through Apple's own Remote Desktop software. "It's probably a good time to confirm your firewall is up, and on stealth block".

This is all an attacker needs because with a few clicks he can create a root account that he could use at a later time to access the vulnerable device.

More news: Tiger Woods ready to impress say peers

Open System Preferences and click on the "Users & Groups" menu. As Apple advised, for now, the best workaround is to enable the root account, and keep it enabled with the password of your choice. Click on the lock in the lower left of the menu to make changes.

Users can click on the login options button, then select the join network account server option.

Click in the Directory Utility window, then enter an administrator name and password. After signing in as a guest, it was possible to change security settings and install apps and software updates from the Mac App Store, just by typing the user name "root".

More news: Merkel rejects snap elections after failed talks

Related Articles