Major security flaw in High Sierra, patched

This week Apple had a very high profile security flaw that made the news. You’ve probably seen the word “root” and High Sierra in a lot of headlines. The story has been developing so quickly that depending on when you read the news you may not have the full story. Here is my version of the problem, which I try to make digestible and non-sensationalized.

Super-short version. There was a bad security flaw in the latest Mac software that would allow someone to override your computer password if they were able to use your computer. In less than 24 hours Apple fixed it. All affected computers that are connected to the internet should have automatically patched themselves by now.

The problem. On Tuesday afternoon news was getting around that High Sierra had a major security flaw allowing someone to override the “root” administrator password in certain circumstances, allowing access to just about anything on the computer. While this wasn’t a huge concern for most home users, as execution usually required physical access to the computer, this was a much larger concern for institutions where the user of the computer was not supposed to have full access to the machine.

Temporary workaround. There was a temporary workaround that involved changing your root password to something else, but that is no longer necessary since Apple released an official fix.

Why this was a big deal. Typically security flaws are exposed to the software developer before the public, so that they have a chance to fix the problem before havoc breaks loose. However, in this case the person who discovered it didn’t know better because he wasn’t a security professional. He posted the problem on Twitter, putting Apple in a difficult position. It was also a big deal because this hack required no special tools or software. It was really easy for anyone to do.

The fix. Midday Wednesday, less than 24 hours after the news broke, Apple released a patch that will automatically install on all machines running macOS 10.13.1 whether you have automatic updates turned on or not. Users who want to make sure the update gets installed immediately rather than during your computer’s daily check-in with Apple’s servers can do so in the Mac App Store. This is only the second time that Apple has invoked this automatic update that disregards the user’s update preferences.

The second fix. As Apple was understandably rushed, they made a small mistake in this patch that broke file sharing in some configurations. Again, this doesn’t affect most home users because file sharing is used mostly on servers. But if you lost file sharing access because of this patch Apple posted a revised fix that rolled out in the same way and should restore access. The new fix also patches computers that are running 10.13 but have not yet updated to 10.13.1.

Does this mean Apple computers aren’t as secure as I thought? In my opinion, no. There have been other similar bugs in other operating systems in the past. Windows will by default often allow a user to run and install any software that affects the whole computer with the click of a button anyway, unlike on Mac where your user password is required. And this was a rather isolated incident that I do believe Apple learned from. I am also impressed with the speed at which they solved the issue and pushed out the update. Software is so complex that it’s impossible to find all of the flaws. The best you can do sometimes is just makes sure that when a flaw is discovered it is handled appropriately.

Protecting yourself if something like this happens again. This may be a good reminder to give yourself a quick security audit. Most home and small business users could have mitigated the problem with these settings which I recommend for most users whether or not this bug happened, especially if you have a portable Mac as they are exposed to more threats:

  • Have a user login password. It may seem inconvenient but if you only have to press “return” when prompted for a password or if you use a really common password like “password” or “apple” anyone could pick up your computer and gain access to all of your files and saved passwords. If you have any sort of sharing turned on it could even allow them to access all of your files and email over WiFi. You can set a password in the Apple menu > System Preferences > Users & Groups, then click the button to “Change Password…”
  • Turn off any unnecessary sharing. If you have sharing turned on you run the risk of allowing someone access to your files over the network without even realizing it happened. This is particularly of concern with portable computers that may not always be on your home network. Go to the Apple menu > System Preferences > Sharing. Turn off anything you don’t absolutely need. Most users need none of these turned on. One that I often see enabled is Printer Sharing as people mistakenly think you need it on to access a wireless printer. On the contrary, this is for sharing a printer you have connected to your Mac with other computers, not for accessing a printer that is on your network.
  • Require a password after sleep. This is particularly important on portable computers that are more easily stolen. Go to the Apple menu > System Preferences > Security & Privacy. Make sure the box is checked to require a password. Depending on your concern for security you could change it to not require the password immediately but on a delay. If you have an Apple Watch and your computer is new enough to have the required radio chips, you also have a box you can check to allow your Apple Watch to unlock your computer. Then your computer will automatically unlock if your Apple Watch is within a few feet.
  • Disable automatic login. With Automatic login on, your computer will log in automatically any time you turn start up. With it off you will be prompted for your password each time you restart. I highly recommend it be set to off, particularly with portable computers. Go to the Apple menu > System Preferences > Users & Groups. Click the padlock icon in the lower left corner and enter your password. Turn Automatic login to “Off”.
  • Display login window as a list of users. If your computer asks you for your username and password when you turn your computer on instead of allowing you to click your name and enter your password, you should probably change it. Go to the Apple menu > System Preferences > Users & Groups > Login Options. Click the padlock in the lower left corner and enter your password. Switch from “Name and password” to “List of users”.
  • Enable FileVault. This wouldn’t have helped with this particular bug, but if you are at all concerned with the security of the files on your computer you should enable FileVault, which is Apple’s disk encryption. Without FileVault anyone who knows what they are doing could easily grab any files on your computer whether or not they have your password. The login password in that case just blocks people from causally picking up your computer and using it. A word of warning though, FileVault is very serious encryption. Depending on how you set it up there may be no way of resetting the password if you forget it. So don’t forget it. And be sure to keep your password somewhere safe in case something unexpected happens to you and you want your family to have access to your files. To enable it go to the Apple menu > System Preferences > Security & Privacy > FileVault. Click the padlock button to unlock the screen and then click the button to enable FileVault.