Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.

Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."

Apple shared the following statement with Ars:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS. When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8am, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

There was a way for users to protect themselves before the update rolled out; we covered that and the specifics of the bug in detail yesterday. Essentially, it involved taking steps to secure the root account with a strong password. With this update ultimately installing automatically on affected systems, no further action should be required from general users.

Update: We've now learned that this security update causes problems with file sharing for some users. Apple has provided a workaround on its support site for now:

If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing: Open the Terminal app, which is in the Utilities folder of your Applications folder.

Type sudo /usr/libexec/configureLocalKDC and press Return.

Enter your administrator password and press Return.

Quit the Terminal app.

Update 2: Apple has released a new version of the security update that reportedly addresses the file sharing problem.

Update 3: A Wired story reports that some users who have recently updated to macOS High Sierra 10.13.1 discovered that installing that update undid the security update that addressed the root bug. They can reinstall the security update after moving to 10.13.1, but it requires a reboot to take effect at that point—without warning from Apple that a reboot is required. We've published a new story on this development.