Apple apologises and fixes security flaw

Macbooks running the latest software will automatically be updatedImage source, Getty Images
Image caption,

Macbooks running the latest software will automatically be updated

Apple has pushed out an update to fix a major security hole in its Mac operating system, admitting it “stumbled” with its latest software.

The flaw, revealed on Tuesday, made it possible to access a Mac without a password, and also have access to powerful administrator rights.

The latest version of MacOS will automatically download the update.

"We greatly regret this error and we apologise to all Mac users,” the firm said.

"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole.

"This morning, as of 8am PT, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of MacOS High Sierra.”

It is only second time Apple has forcibly updated users’ machines and comes in response to widespread concern that millions of Mac computers were at risk.

Users running older versions of MacOS will see a notification prompting an upgrade.

"Security is a top priority for every Apple product,” the company said.

“And regrettably we stumbled with this release of MacOS.”

It added: "Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

Disclosure

Attention is now turning to the way in which the bug was made public. The story hit headlines after the flaw was tweeted by Lemi Ergin, a self-described "software craftsman". He was criticised for not adhering to "responsible disclosure" guidelines in security research, whereby companies are given a reasonable amount of time to fix a flaw before it is made public.

However, after coming for criticism for tweeting the vulnerability, Mr Ergin published a post on Medium defending his decision, external.

"I am neither a hacker, nor a security specialist," he wrote.

"I solely focus on secure coding practices while programming, but I can never call myself a security specialist."

He said his colleagues at payments firm Iyzico informed Apple about the flaw on 23 November. It had previously been discussed on open Apple support forums on 13 November - though the user described the issue more like a feature than a serious bug.

Apple's own statement on Wednesday said the company's security team were not made aware of the problem until 28 November - though it is not clear if another department at the company was aware.

The BBC has contacted Apple for clarification.

Follow Dave Lee on Twitter @DaveLeeBBC, external

You can reach Dave securely through encrypted messaging app Signal on: +1 (628) 400-7370