blog subhero

Apple security flaw in the latest version of macOS High Sierra

Nov 29, 2017, Cambridge, UK: Security researchers have recently uncovered a security flaw in the latest version of macOS High Sierra. The flaw allows anyone with physical access to the machine to quickly and easily log in as ‘root’, the most powerful user, and get full access to that Mac.

Our internal testing has confirmed that connecting to a Mac via VNC Connect can trigger this flaw in certain circumstances. If a remote attacker supplies any password with their initial root login attempt, that attempt will initially fail, but the macOS bug means that password will be set as a root password, allowing access on subsequent attempts. This can affect customers with a Professional or Enterprise subscription, who are using Mac authentication or Single Sign-on to sign in to their Mac via VNC Connect.

Additionally, once a legitimate user is connected, VNC Connect is designed to make their experience as close as possible to being in front of the computer. Accordingly, any legitimate user connected via VNC Connect could potentially trigger the flaw in macOS in the same way as if they were physically in front of the machine.

It is therefore critical that you install Apple’s security update via the macOS App Store as soon as possible, or if you cannot do that immediately, follow Apple’s advice for securing your Mac, and set a password for your root account. This will prevent anyone from exploiting the macOS vulnerability, whether they have physical or authorized remote access.

In light of all these considerations, RealVNC strongly recommends you disable any sort of remote access on your Mac, including VNC Connect, until you can install the Apple security update or secure the root account.

For more details on the flaw, please see this article or any of the other articles linked in this post.

Updated 29 Nov 2017: An earlier version of this post incorrectly asserted that any remote access via VNC Connect did not trigger the flaw. Further internal testing demonstrated that only applies to root login attempts with no password.

Updated 01 Dec 2017: Included links to Apple’s security update

Experience secure remote freedom, like never before

We don’t require credit card data. 14 days of free, secure and fast access to your devices. Upgrade or cancel anytime

G2 stars review

4.7 stars, 400+ reviews
Top 50 IT Management
Products 2020

Apple App Store

4.8 stars, 11,700 reviews
Apple Store 5M+ downloads

Google Play Store

4.7 stars, 55,000 reviews
Google Play Store 5M+
downloads

Capterra

4.5 stars, 100+ reviews
Best Software Reviews
Platform