MacOS 10.13.1 – Root vulnerability allows new ADMIN account without password

Apple is in process of
building an emergency patch to lock down the “root” account where a preset
password does not exist.  In certain settings, the “MacOS
10.13.1 Root vulnerability” allows a missing
password challenge to be fully worked around.  That allows user
accounts to be reset, allowing full compromise of vulnerable systems. 
This bug is serious and believe Apple with quickly rectify with an expedient
“patch now” update
  
The hack is easy to pull off. It can be triggered through the
Mac’s System Preferences application
when “Users & Groups”
is selected, and the lock icon on the window is clicked. After that, a new
login window will appear. Anyone who types “root” as the username, leaves the
password field empty, and clicks unlock (once or twice) is on their way to a
new account that has system admin privileges to the computer.

 

Amit Serper, a security researcher with Cybereason, replicated the
result and said the
bug “is as serious as it
gets.”
 
Hackers are always crafting malware that can
gain greater system privileges into a computer. Now they have a new way, which
can also be triggered via a Mac’s command line function. Imagine a piece of
malicious code designed to attack Macs using the same flaw. Users wouldn’t even
know they were compromised, Serper said
.

 

WORKAROUND – Allocate
& preset “ROOT” account to password ahead of time instead of leaving unset
as null value