Apple expeditiously patches embarrassing macOS High Sierra security bug, thereby regaining my trust
I am not a rich man. With that said, when I bought my first-ever Mac computer last year -- a 2016 MacBook Pro with Touch Bar -- parting with that much cash was a very big deal for me. I spent more on this laptop than my first car! Why did I buy it? After being impressed by iOS and liking the way the two operating systems worked together, I decided to use Mac OS X (now macOS) in addition to my favorite Linux distributions. To be honest, I feel more safe on Apple's desktop operating system than on Windows 10. I also like how Tim Cook and company stand up for privacy. In other words, I trusted Apple.
And then yesterday happened. It was revealed that macOS High Sierra had one of the worst security bugs ever. By entering "root" as the username, followed by a blank password, anybody could access any Mac running macOS 10.13.1. As soon as I read about this embarrassing vulnerability, my heart sank. I gave Apple thousands of my hard earned dollars because I valued security and privacy, and I was rewarded with incompetence. Well, I am happy to say that my head is much cooler today, and Apple has regained my trust. Why? Because the company has already patched the bug.
True, it would be better had the bug never popped up, but it is very telling to see how an organization responds to mistakes. Had Apple dragged its feet on this matter for a few days I would have been very upset. However, to have the bug fixed in less than 24 hours after getting widespread attention is very satisfying.
Of course, had Apple read its own support forums, it would have been fixed much sooner. In another embarrassing revelation, it turns out this bug was hiding in plain sight for weeks. Apple clearly has some work to do.
Luckily, installing the fix couldn't be easier. When you visit the Mac App Store, you will see the security update ready to go. To show how serious this bug is, Apple includes a fairly ominous message of "Install this update as soon as possible." Believe it or not, the patch did not even require a reboot.
Apple explains the bug and fix (Security Update 2017-001) below.
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
In a statement given to 9to5Mac, Apple says the following.
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
As you can see, Apple is promising to improve as a result of the failure. In other words, the company is promising to do better as a result. Quite frankly, what else can we ask of Apple? Look, bugs happen. Yes, this one is shockingly bad. But the iPhone-maker fixed the vulnerability very quickly while vowing to harden security moving forward. That is the correct response.
With all of that said, I am hardly an Apple apologist -- the company could easily lose my trust forever if any similar failures come to light in the near future. I am once again happy with my MacBook Pro, but I won't be so forgiving next time.