Following the conclusion of “Gather round” Special Event, Apple posts GM seeds of iOS 12, watchOS 5 and tvOS 12 along with macOS Mojave 11.4 beta 11.
- iOS 12 GM Seed build 16A366
- watchOS 5 GM Seed build 16R364
- tvOS 12 GM Seed build 16J364
One interesting note on macOS Mojave 11.4 beta 11 build 18A389, that it is believed to be the Release Candidate or even a GM seed.
Apple will be issuing Software Update to disable “root” user which is inadvertently enabled by default with blank password in macOS High Sierra.
To disable “root” user, follow the instruction from Apple or the instruction below:
Disable the root user
Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
Click the Lock, then enter an administrator name and password.
Click Login Options.
Click Join (or Edit).
Click Open Directory Utility.
Click the Lock in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility: Choose Edit > Disable Root
In previous incarnations of macOS/OS X/Mac OS X, “root” user is disabled by default.
Anyone with physical access to your Mac potentially can reset your password.
As reported by Juli Clover for MacRumors and numerous other sites:
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
We verified that on macOS High Sierra 10.13.1, “root” user is enabled by default with blank password. For comparison, OS X El Capitan has “root” user disabled by default.
We verified that previous versions of macOS/OS X/Mac OS X have “root” user disabled by default.
This is similar to the enabled-by-default-with-blank-password “administrator” accounts in Windows XP.
By having “root” user disabled by default, potentially a remote attacker can compromise Macs running macOS High Sierra.
Having said all that, anyone with physical access and the right knowledge can reset local user password.