Well, that was fast. Not too long after a developer discovered a major flaw on the latest macOS High Sierra, allowing anyone to access a locked device without the need of a password, Apple has released a fix for it. The Cupertino company recently rolled out a Security Update 2017-001, and recommends for all users to install the update as soon as possible.
According to Apple, the update is available for macOS High Sierra 10.13.1. and does not impact those running on macOS Sierra 10.12.6 and earlier. It addresses an issue whereby attackers “may be able to bypass administrator authentication without supplying the administrator’s password”. When you install this update on your Mac, the build number of macOS will be 17B1002. For those of you who have disabled root user account on your Mac, you can re-enable it back and change the root user’s password after this update.
Yesterday, developer Lemi Ergin discovered a bug on macOS High Sierra. It allowed users to access a locked Mac device by keying “root” as the user, and leaving the password field blank. The attacker would have full access to the device by using such method, allowing them to access all the files stored inside, and even make administrative changes to the Mac. If you are using a device running on macOS High Sierra, do head on to the Mac App Store and perform the update right now.