A major bug has been found in macOS High Sierra that could give unauthorized users full admin access to a Mac computer without needing a password to do so. When creating a root account, users are prompted to enter administrative credentials for a privileged action. The affected systems allow the user to merely enter “root” as the username in the authentication dialogue box and does not require a password before creating the root account. Once penetrated, the threat actor can gain full control over the computer, either locally or remotely.
Apple recently released a patch (addressed in Security Update 2017-001) and encourages all macOS High Sierra users to download immediately. The patch download can be accessed here: https://support.apple.com/en-us/HT208315. If you require the root user account on your Mac, you will need to re-enable the root user and change the root user’s password after this update.