Apple released an important security update for Mac OS High Sierra (10.13) which allowed anyone to login a Mac running Mac OS High Sierra with administrator rights and without needing a password. Apple also printed bold text with this update (this is the first time this has been noticed with an Apple update – install this update as soon as possible).
To get this update, go to App Store -> Updates.
From Apple’s Website:
Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly. Or if you see MRTConfigData 1.27 in the Installations list under Software in System Report, your Mac is also protected.
To confirm that your Mac has Security Update 2017-001:
Open the Terminal app, which is in the Utilities folder of your Applications folder.
Type what /usr/libexec/opendirectoryd and press Return.
If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
* Please use the comment form below to provide feedback. *