This Security Flaw Was So Dire, Apple Is Automatically Updating Macs

Apple’s senior vice president of software engineering Craig Federighi introduces macOS High Sierra during Apple’s 2017 World Wide Developers Conference.


On Tuesday evening, disaster struck Apple when a software developer from Turkey announced that he had uncovered a massive vulnerability in High Sierra, the latest version of the company’s desktop operating system. The “root bug” basically allowed anyone with basic working knowledge of using a computer to log in without a password. Not good.

It must have been a long and intense night for Apple software developers. But as predicted, Apple pushed an update Wednesday morning that fixes the major security vulnerability.

But you don’t have to set a reminder to update your computer as you go to bed. In a short statement accompanying the patch, Apple subtly mentioned something surprising: Because of the risks presented by the root bug, it will silently update anyone running High Sierra (OS 10.13) later today whether they like it or not. It’s an unusual but appropriate measure to counter this flaw in its software.

Apple releases security updates regularly through the App store. But for better or worse, it’s typically up to the user to click “yes” to updating. If you use a Mac, you are probably familiar with clicking the “Remind me tomorrow” button after you get an ill-timed prompt to manually install an update.

This automatic patching feature has been present in OS X for a few years now, but Apple has only used it once before, in 2014, for the network time protocol bug that would’ve allowed hackers to remotely access computers and potentially initiate distributed denial of service (DDoS) attacks. Network time protocol is used for synchronizing clocks on computer systems, and Apple wasn’t the only tech company affected. It pushed the automatic update after the Department of Homeland Security and Carnegie Mellon University issued a warning about the bug. In both cases, using the baked-in silent update was necessary—but hopefully Apple will continue to use it only in cases of emergency. I appreciate Apple letting us choose when to update, even if for a lot of people, that might be never. (It helps that in general, Apple faces fewer security problems than Windows does due to market penetration)

The scary thing about this most recent “root bug” is that you don’t need much technical knowledge to exploit it. Considering Apple is a company that likes to boast about how much it values security and privacy, it’s alarming to know such an accessible bug slipped past during development and the beta stage of High Sierra. Apple’s prompt response might allow us to forgive it for now, but it will need to raise the bar for its development auditing.

Only a few weeks ago, a software update included a patch for an annoying, albeit less serious, bug that autocorrected “i” to “A” with a question mark in a box on some iPhones. While the “I” bug isn’t comparable to this latest “root bug,” both are still major disappointments to Apple fans who remember its old slogan: “It just works.”