Oh, I agree. I think someone really screwed up. But who thinks about checking to see if a null password is acceptable when it was not OK before, especially in something as obscure as creating Root user ability? It's one of those things only 1 in ten thousand users ever do and then those only do it once. It is not something a user does repeatedly and it is not something one does on a Mac over and over again to test. It's actually a pain in the rear to undo so one can try again because once the root user is created, password is set and can only be changed.
As you can see above, I finally figured out what is REALLY going on with this "vulnerability." It's not a true coding error that allows the creation of a new root user without a password, it's that someone left their Root User account open with no password and it wound up in the Gold Master.
That's the only thing that meets the criteria of how this "vulnerability" works. . . and the "root" user is in the user list. This isn't "creating" a root user, it's only invoking an already existing root user.
As dayglored looks up quietly from his work and muses, "Now, if I were creating a backdoor that would slide through QA test, what characteristics would it have to have...?"
Just sayin'... If only 1/10th of 1% -- 1 in a thousand -- Muslims is a terrorist, that's 1,800,000 terrorists in the world.
So if you've got 123,000 employees (as Apple does, per Wikipedia), and only 1/10th of 1% -- 1 in a thousand -- is unscrupulous, in the pay of a competitor or foreign agency, that's 123 employees who might do something that egregious.