Nov 29, 2017, Cambridge, UK: Security researchers have recently uncovered a security flaw in the latest version of macOS High Sierra. The flaw allows anyone with physical access to the machine to quickly and easily log in as ‘root’, the most powerful user, and get full access to that Mac.
Our internal testing has confirmed that connecting to a Mac via VNC Connect can trigger this flaw in certain circumstances. If a remote attacker supplies any password with their initial root login attempt, that attempt will initially fail, but the macOS bug means that password will be set as a root password, allowing access on subsequent attempts. This can affect customers with a Professional or Enterprise subscription, who are using Mac authentication or Single Sign-on to sign in to their Mac via VNC Connect.
Additionally, once a legitimate user is connected, VNC Connect is designed to make their experience as close as possible to being in front of the computer. Accordingly, any legitimate user connected via VNC Connect could potentially trigger the flaw in macOS in the same way as if they were physically in front of the machine.
It is therefore critical that you install Apple’s security update via the macOS App Store as soon as possible, or if you cannot do that immediately, follow Apple’s advice for securing your Mac, and set a password for your root account. This will prevent anyone from exploiting the macOS vulnerability, whether they have physical or authorized remote access.
In light of all these considerations, RealVNC strongly recommends you disable any sort of remote access on your Mac, including VNC Connect, until you can install the Apple security update or secure the root account.
For more details on the flaw, please see this article or any of the other articles linked in this post.
Updated 29 Nov 2017: An earlier version of this post incorrectly asserted that any remote access via VNC Connect did not trigger the flaw. Further internal testing demonstrated that only applies to root login attempts with no password.
Updated 01 Dec 2017: Included links to Apple’s security update