{"id":10657,"date":"2017-11-29T10:30:12","date_gmt":"2017-11-29T18:30:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/29\/news-4429\/"},"modified":"2017-11-29T10:30:12","modified_gmt":"2017-11-29T18:30:12","slug":"news-4429","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/29\/news-4429\/","title":{"rendered":"What to do about Apple\u2019s shameful Mac security flaw (updated)"},"content":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Wed, 29 Nov 2017 04:13:00 -0800<\/strong><\/p>\n

Complacency and incompetence are the biggest computer security threats, and Apple\u2019s latest Mac security flaw seems to combine both of these. The flaw means anyone with physical access to your Mac can get inside the machine and tinker with it.<\/p>\n

UPDATE <\/strong>(29\u00a0November \u00a09:30am PDT)<\/em>:<\/strong> Apple has issued an apology and a patch to rectify this problem, more details here<\/a>.<\/p>\n

The problem (which first got disclosed here<\/a>) was first revealed in a Tweet by Lemi Orhan Ergin, who wrote:<\/p>\n

Dear @AppleSupport<\/a>, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple<\/a>?<\/p>\n

You read that right.<\/p>\n

Any Mac running macOS High Sierra is vulnerable to this problem. Anyone with access to your Mac can launch it, enter the word root as the User ID and hit return, while leaving the password field blank. You\u2019ll be denied entry initially, but after a few tries you will get in.<\/p>\n

Multiple people tested this successfully.<\/p>\n

Just tested the apple root login bug. You can log in as root even after the machi was rebooted pic.twitter.com\/fTHZ7nkcUp<\/a><\/p>\n

I urge you not to test it yourself<\/a>, but I suggest you take immediate steps to patch the problem as detailed below.<\/p>\n

The problem is that once you have penetrated the Mac as a root \u201csuperuser\u201d you are able to get inside System Preferences to make other changes, install software, and access files inside other user accounts.<\/p>\n

As Apple puts it:<\/p>\n

\u201cThe user account named \u201droot\u201d\u00a0is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts.\u201d<\/p>\n

This is a monumental error.<\/p>\n

It also seems completely avoidable \u2014 it\u2019s not as if every hacker anywhere doesn\u2019t use the word \u201croot\u201d in an attempt to penetrate security.<\/p>\n

The only way Apple\u2019s engineers might have improved on this (i.e. made it worse) is if they had used the password \u2018123456\u2019.<\/p>\n

The existence of the problem is shameful. Why does it exist and who is responsible?<\/p>\n

An Apple spokesman told me:<\/p>\n

\u201cWe are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here<\/a>. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the \u2018Change the root password\u2019 section.\u201d<\/p>\n

When you read the document, you will learn that root is a superuser account that is disabled by default on most systems.<\/p>\n

However, this flaw undermines that and lets you access a Mac as a root user. And the best way to protect yourself and plug this flaw is to create a genuine root user account and set a password that you control.<\/p>\n

From Apple Support<\/a>:<\/p>\n

\u201cEnable or disable the root user<\/strong><\/p>\n

It is also possible to check and secure against this flaw using Terminal, as explained here<\/a>.<\/p>\n

The bug does not affect previous versions of macOS, including Sierra, El Capitan or older.<\/p>\n

The scale of the flaw was best expressed by Edward Snowden, who wrote<\/a>:<\/p>\n

\u201cImagine a locked door, but if you just keep trying the handle, it says ‘oh well’ and lets you in without a key.\u201d<\/p>\n

I\u2019m flabbergasted this flaw even exists. I see it as an absolute nadir for Apple security. The problem impacts millions of machines. I\u2019ll be updating the Mac security guide here<\/a>, but I urge all High Sierra users to apply this fix immediately.<\/p>\n

Google+?<\/strong>\u00a0If you use social media and happen to be a Google+ user, why not\u00a0join\u00a0AppleHolic’s Kool Aid Corner community<\/a>\u00a0and get involved with the conversation as we pursue the spirit of the New Model Apple?<\/p>\n

Got a story? Please\u00a0<\/strong>drop me a line via Twitter<\/a>\u00a0and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Wed, 29 Nov 2017 04:13:00 -0800<\/strong><\/p>\n

\n
\n

Complacency and incompetence are the biggest computer security threats, and Apple\u2019s latest Mac security flaw seems to combine both of these. The flaw means anyone with physical access to your Mac can get inside the machine and tinker with it.<\/p>\n

UPDATE <\/strong>(29\u00a0November \u00a09:30am PDT)<\/em>:<\/strong> Apple has issued an apology and a patch to rectify this problem, more details here<\/a>.<\/p>\n

What\u2019s the problem with macOS High Sierra?<\/h2>\n

The problem (which first got disclosed here<\/a>) was first revealed in a Tweet by Lemi Orhan Ergin, who wrote:<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11078,11271,714],"class_list":["post-10657","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple-mac","tag-operating-systems","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10657"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10657\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10657"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}