Apple Must Fix Its Embarrassing Password Bug

A newly-discovered flaw in macOS High Sierra, Apple’s latest iteration of its operating system, allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. 

Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.


Apple has said it is working to fix a serious bug within its Mac operating system.  The flaw in MacOS High Sierra, the most recent version, makes it possible to gain entry to the machine without a password, and also have access to powerful administrator rights. “We are working on a software update to address this issue,” Apple said in a statement. 

The bug was discovered by Turkish developer Lemi Ergin. He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine. 

Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals. Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public. 

Apple would not confirm or deny whether it knew about the flaw beforehand. However, flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat.

The Exploit
Considering, the power it gives, the bug is remarkably simple, described by security experts as a "howler" and "embarrassing". Those with root access can do more than a normal user, such as read and write the files of other accounts on the same machine. A super user could also delete crucial system files, rendering the computer useless - or install malware that typical security software would find hard to detect. 

Typically, the bug cannot be exploited remotely, meaning for most users the threat only exists if a malicious person has physical access to the machine. That said, if remote access has been granted to the computer for some other reason, such as offering tech support, then the flaw could be executed using that connection.

The timing of the disclosure presents a major issue to Apple as it now must hurriedly put in place a fix before the vulnerability can be exploited by criminals. 

"Haste and security don’t make good bedfellows,” said Prof Alan Woodward from the University of Surrey
"They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it."
While Apple works on its fix, it offered a workaround for users concerned about the bug. “Setting a root password prevents unauthorised access to your Mac,” the company explained. "To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. 

"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

For those not confident enough to change system settings like this, security experts advise simply - don't let your Mac out of your sight, and be sure to apply the system update when prompted.

Krebs On Security:        BBC

You Might Also Read: 

The Death of the Password Is Upon Us:

Apple's Driverless Cars:

Is Apple Abandoning Macs?:

 

« N. Korea Is Ready For Global Cyber Conflict
Cyber Criminals Stealing Reward Points & Air-Miles »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

World Privacy Forum (WPF)

World Privacy Forum (WPF)

The World Privacy Forum is a non-profit public interest research group that focuses on privacy and technology issues.

DKCERT

DKCERT

DKCERT (Danish Computer Security Incident Response Team) is a service of DeIC (Danish e-Infrastructure Cooperation).

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

PETRAS IoT Hub

PETRAS IoT Hub

PETRAS is a consortium of 12 research institutions and the world’s largest socio-technical research centre focused on the future implementation of the IoT.

Bufferzone Security

Bufferzone Security

Bufferzone is a patented containment solution that defends endpoints against advanced malware and zero-day attacks while maximizing user and IT productivity.

Learn How To Become

Learn How To Become

At LearnHowToBecome.org, our mission is to help any job-seeker understand what it takes to build and develop a career. We cover many specialist areas including cybersecurity.

Fischer Identity

Fischer Identity

Fischer Identity provide identity & access management and identity governance administration solutions.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

Vortiv

Vortiv

Vortiv Ltd (formerly known as Transaction Solutions International Ltd) is a technology based company focused on the cybersecurity and the cloud services sector.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

BT Security

BT Security

BT provides telecommunications and network infrastructure services to keep businesses around the world connected and secure.

Credible Digital Security Pvt. Ltd. (CDSPL)

Credible Digital Security Pvt. Ltd. (CDSPL)

CDSPL is an innovative Cyber Security Services Company in India. We are committed to offering cyber security solutions for important sectors such as energy and utilities, healthcare, and more.

Contextal

Contextal

Contextal develops cutting-edge open-source cybersecurity solutions, designed to connect the dots and detect complex threats, which slip through the existing protections.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.

CliffGuard Cybersecurity

CliffGuard Cybersecurity

CliffGuard Cybersecurity deliver comprehensive services designed to protect your organization from the ever-evolving landscape of cyber threats.