If you own a Mac, you have probably heard by now that Apple introduced a serious bug into High Sierra by which anybody could log into a Mac using 'root' as the username and no password, and get full access to the system. You may have also heard that Apple released a patch to fix this vulnerability. But have you heard that the bug 'silently' reappears on systems that are subsequently upgraded from 10.13.0 to 10.13.1?
If you apply the security patch to your Mac to fix the root bug and your OS version is 10.13.0, and if you then upgrade to 10.13.1, the current workaround is to reapply the root security patch, then reboot your system.
Finally, we recommend that, no matter which version of High Sierra is installed on your system, after you apply the patch, you test it by logging out of your Mac, then trying to log in with username 'root' and no password. If you are able to log in with those credentials, then we recommend you reboot your system and try again. Make sure that the root bug is fixed, even after applying the patch.
If you have any questions about the patch or the vulnerability discussed here, please contact the CNS Help Desk at https://cns.utexas.edu/help/ (UT EID login required).
Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.