Update 12/1/2017: A Wired report states that users of macOS 10.13 High Sierra who installed the root security update will need to reinstall the update and restart the Mac if the operating system is upgraded to macOS 10.13.1 High Sierra. Apple has details in a support document to see if the update has properly installed.
Update 11/29/17: Apple has released an official fix for the issue via a security update. You can install the update by launching the App Store app, and then click on Updates. Press Command-R to reload the Updates page to see new updates. It will appear as “Security Update,” and you can click on the Update button to install it. Your Mac does not need to restart.
If you have problems with file sharing after installing the update, here are instructions on repairing file sharing.
Apple issued the following statement to Macworld:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
On Tuesday, a macOS 10.13.1 security issue was revealed—a flaw that allows root access to a Mac without the need for a password. Developer Lemi Orhan Ergin tweeted that anyone can log into a Mac by entering the user name
root without a password. The first time you try to login, it won’t work. But if you try it again, you will be granted access. Here’s Erign’s tweet:
As Apple’s support document notes,
root is a “superuser” that grants access to areas of the system that are often used by system administrators.
At Macworld, we tried it on our own MacBook Pro running macOS 10.13.1, and the root login worked. See the video below.
This issue seemed to work only after you are logged into a Mac under a different user name. I wasn’t able to use
root and no password at the Mac’s user login screen that appears at startup.