Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 14 MINUTES AGO.
You are here: Home / Data Security / Huge Apple Security Bug Revealed
Dangerous Bug Puts Apple MacOS High Sierra Devices at Risk
Dangerous Bug Puts Apple MacOS High Sierra Devices at Risk
By Shirley Siluk / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
NOVEMBER
29
2017
A huge security issue with Apple's most recent operating system update for Mac allows anyone to log into devices running the OS without a password. The vulnerability was reported yesterday by a software developer on Twitter.

The macOS High Sierra bug was discovered last week by a member of the infrastructure staff at iyzico, a Turkish payment management platform provider, according to Lemi Orhan Ergin, a "software craftsman" at the company. Ergin said staff members reported the vulnerability to Apple on Nov. 23, and he disclosed the flaw publicly in a tweet on Tuesday.

Anyone running macOS High Sierra can resolve the issue quickly with a "simple fix," security writer Brian Krebs noted yesterday: "Change the root account's password now."

One of Apple's 'Most Embarrassing Vulnerabilities'

News of a vulnerability that opens up password-free root access to any Mac device running High Sierra shocked many users and security experts.

"The Mac OS High Sierra 'root' user bug is insane... just tried it for myself & cannot believe it actually worked," tweeted programmer William LeGate. "I can't think of anything worse that has been shipped by a major operating system in the past decade."

Forbes writer Thomas Fox-Brewster wrote yesterday that the bug "may go down as one of the most embarrassing vulnerabilities in Apple history."

One small bright spot may be that the vulnerability requires local access and appears difficult, though not impossible, to exploit remotely. This led multimedia developer Greg Edwards to tweet, "Are you running Mac OS High Sierra, and if so, when will you be away from your desk for 10-15 minutes today?"

"We are working on a software update to address this issue," Apple said in a statement to news outlets. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

Reactions to Bug 'Like a Blast'

In a Medium post today, Ergin today said his Twitter disclosure about the Mac bug was met with "many reactions like a blast." He added that his intent with yesterday's tweet wasn't to harm Apple or Apple users, but to "warn Apple and say 'there is a serious security issue in High Sierra, be aware of it and fix it."

While Ergin's disclosure has received widespread attention, the bug was actually reported earlier this month in a Apple Developer Forum thread about macOS High Sierra. A user responding to a question about creating an admin account in the operating system noted on Nov. 13 that one solution was to log in at startup with the username "root" and an empty password.

"Oh my god that should not work but it does," another user responded yesterday on the forum. "This is really REALLY bad. Some bug in authentication is ENABLING root with no password the first time it fails!"

Several experts have lambasted Apple for allowing the vulnerability in the first place.

"This is pretty bad of Apple," noted security writer Graham Cluley, who also took the company to task two months ago for another macOS High Sierra bug that displayed a user's password in plaintext upon clicking the "Show Hint" button.

In the case of a fix for this latest vulnerability, "I would imagine [Apple] will be pushing it out as a high priority," Cluley said. When that happens, "Make sure to update your Macs and MacBooks at your earliest opportunity after it is released," he added.

Image credit: Apple.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.