MacOS High Sierra (10.13) security flaw

A security flaw in macOS High Sierra was recently discovered that allows any user to gain administrator access to an affected machine without knowing a valid administrator passphrase.  This access may allow a malicious user to install software, decrypt encrypted drives, or access any files stored on the Mac.

MacOS High Sierra (version 10.13) is the latest release of the Apple operating system for Macintosh workstations such as iMacs, MacBooks and Mac Pros. MacOS Sierra (10.12) is not vulnerable to this issue.  University Systems continues to recommend that users do not upgrade to macOS High Sierra at this time.  High Sierra has not been deployed by University Systems in our computing facilities, nor to clients supported by Desktop Support Services.

Update Nov. 29th: Apple has released security update 2017-001 for High Sierra to address this issue.  University Systems recommends that all High Sierra users apply this update as soon as possible.  More information about this update can be found on Apple's support website:

https://support.apple.com/en-us/HT208315

After applying security update 2017-001, this security flaw can no longer be exploited.  A previous version of this notice contained the following information; however, these steps are only required until security update 2017-001 has been applied:

If you are running High Sierra, you can prevent the exploitation of this flaw by setting a password for the root user on your Mac.  This password can be set by:

  1. Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
  2. Click the lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click the lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility, choose Edit > Change Root Password…
  8. Enter a root password when prompted.

The root password can also be set from the Terminal by an administrator using the command:

sudo passwd -u root

If you have any questions about this notice or you require assistance changing the root password on a Mac running High Sierra, please contact the Computer Help Desk.