Apple’s macOS High Sierra root password bug is pretty serious, and if you update to version 10.13.1 from 10.13 after installing the patch you may undo the the security fix. Here’s how to make sure you’re really protected from the bug.

The macOS High Sierra root password bug is a pretty serious security breach because it lets anyone log into your Mac as the root user without a password. When you’re logged in as root you have access to everything on the computer, can add and remove software without restrictions, and can delete user accounts.

Apple fixed the security flaw with the Security Update 2017-001 patch, but apparently hasn’t replaced its macOS High Sierra 10.13.1 updater to include it. The end result is if you install the patch while running macOS 10.13, and then update to 10.13.1, you can reintroduce the security flaw.

Here’s how to verify if the security patch is installed on your Mac after updating to macOS High Sierra 10.13.1:

  • Go to the Utilities folder in Applications and launch Terminal
  • Enter this command, them press Return: what /usr/libexec/opendirectoryd
  • If the security patch is installed Terminal will respond with opendirectoryd-483.20.7
Terminal showing Security Update 2017-001 installed on macOS High Sierra 10.13.1

Good news! Security Update 2017-001 is installed on my Mac.

If you see a lower number the security update isn’t in place. To reinstall Security Update 2017-001 in macOS High Sierra 10.13.1 go to Apple menu > Software Update and look to see if the updater is listed. If so, install it right away.

If you don’t see the security patch in Software Update, go to Apple’s webpage for the security update and download it from there. You’ll need to double-click the installer after downloading so it can patch macOS High Sierra for you.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
geoduck

I normally don’t wish ill on anyone…but, The people in charge of OSs and Software need to have some very tense meetings. Someone from on high needs to land on the whole department with both feet. This kind of a FU is simply not acceptable. Certainly not for a company that prides itself on protecting customer data the way Apple does. If one of the programmers where I work blew it this bad they’d get their walking papers, and I work for a small company. It’s even worse for the OS of a major hardware company like Apple. If it… Read more »

Macfox

Totally agree!

furbies

+1

wab95

Apple fixed the security flaw with the Security Update 2017-001 patch, but apparently hasn’t replaced its macOS High Sierra 10.13.1 updater to include it. The end result is if you install the patch while running macOS 10.13, and then update to 10.13.1, you can reintroduce the security flaw.

Jeff:

As I’m sure you’re aware, this is a pretty serious assertion. Is this merely cautionary speculation, or do we know that Apple have definitely not incorporated the security patch into the OS update?

If it’s the latter, then this would qualify as SUSFU.