I must admit I'd forgotten that root has to be specifically enabled... I've never needed it.

I've always managed with sudo, and (not being particularly proficient at a Unix prompt) I'm very wary even of that

It's a bit ironic that they missed this one but (in Sierra) removed ftp because it was insecure...

Pretty much. An unencrypted system is vulnerable. More at 10.

Fixed.

Available in the App Store, no re-start required.

In reference to www.engadget.com/2017/11/29/apple-fixes-macos-root-access-bug/:

It didn't take long for Apple to patch that nasty macOS High Sierra flaw that let intruders gain full administrator access (aka root) on your system. The company has released Security Update 2017-001, which should prevent people from gaining control over a Mac just by putting "root" in the username and hitting the Return key a few times. Needless to say, you'll want to apply this fix as soon as you can if you're running Apple's latest desktop OS.

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

Edited by micksharpe (Wed 29-Nov-17 17:35:10)

In reply to a post by micksharpe:

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

An alternative interpretation is that MS security is [censored]

It's the first security-only update this year but there have been several general OS updates in 2017. I can't remember if any included security updates as well, they probably did. I can't tell from the update history.


eta- iirc the update from 10.13 to 10.13.1 included the KRACK update, for example.

Edited by billford (Wed 29-Nov-17 17:57:18)

In reply to a post by billford:

An alternative interpretation is that MS security is [censored]

High Sierra is relatively recent.

Contrary to popular belief, security updates are - IMO - a good thing.

Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222

An explanation here of exactly what went wrong: http://www.theregister.co.uk/2017/11/29/apple_macos_...

I have to revise my opinion - this was a bug in the OS, not just a misconfiguration of the defaults.

In reply to a post by micksharpe:

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!

In reply to a post by TinyMongomery:

Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222

From TM's Link:- for iOS-11 (which was initially released at the end of September), there have ALREADY been 6 Security Updates!!

Not quite up to Microsoft's "Every-Week", but nearly!!

In reply to a post by Jay_Jay:

I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!

All companies get it wrong periodically... OS X Snow Leopard was great, Lion was less highly regarded, Mountain Lion wasn't bad, Mavericks had it's problems I believe, ditto Yosemite (I skipped those two), Sierra seemed OK, I'm not convinced about High Sierra.

Similar for Windows- the upgrade from XP to Vista wasn't universally recommended... that's about when I switched to Macs so can't comment on later versions. Even back in the days of DOS, there was a tendency to skip the even-numbered versions

IOS 11 seems to be another victim of this trait... I've stayed on IOS 10, I'll see what 12 looks like