Hey –
Just wanted to give a heads up that anyone who is one of our support customers can sleep soundly tonight.
Within minutes of reading the breaking news of todays “Root” vulnerability, we had automagically patched all of the “Pro” and Total” support customers machines that were exposed to the vulnerability.
Want some numbers? Ok. Across our fleet of Pro and Total Support users (about 300ish), only 6 machines were vulnerable (2 of them were in our test lab) And by 4:00 pm today, we had a tested and pushed out a fix to all 6.
Why only 6 when we have 100’s under care? Well, thats because we carefully manage macOS and system updates, and except in extreme cases, we have been actively blocking user installs of Mac OS 10.13 High Sierra.
How bad is this vulnerability? Its bad, but someone would need to have access to your computer to do harm. We imagine that Apple will fix it quickly. And likely silently without user intervention.
Of the 300+ users that are on our Basic support plan, about 20 of them had been ignoring our “hold off on upgrading” warnings. Those users had emails in their inboxes within an hour or so that described the steps they needed to take to secure their machines.
Want some more info on the vulnerability?
Here’s what Apple had to say…
“We are working on a software update to address this issue, In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the ‘Change the root password’ section.”
From AppleInsider
“Discovered earlier today, the flaw allows anyone to log in under a Mac’s “root” System Administrator without the need for a password. In practice, the exploit merely requires access to System Preferences, and can be performed in a matter of seconds. Nefarious users can also exploit the bug to bypass a Mac’s lock screen.
Beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled. Users should disable those features until Apple’s update arrives.
As AppleInsider reported when the vulnerability was first aired today, macOS High Sierra users can prevent unauthorized Mac access by disabling the Root User under System Preferences. Alternatively, and as Apple suggests, users can enable the Root account and set a password.
Apple failed to provide a release timeline, but considering the bug impacts system-level directories and is relatively easy to exploit, a software update should be out soon.“