Apple Must Fix Its Embarrassing Password Bug

A newly-discovered flaw in macOS High Sierra, Apple’s latest iteration of its operating system, allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. 

Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.


Apple has said it is working to fix a serious bug within its Mac operating system.  The flaw in MacOS High Sierra, the most recent version, makes it possible to gain entry to the machine without a password, and also have access to powerful administrator rights. “We are working on a software update to address this issue,” Apple said in a statement. 

The bug was discovered by Turkish developer Lemi Ergin. He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine. 

Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals. Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public. 

Apple would not confirm or deny whether it knew about the flaw beforehand. However, flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat.

The Exploit
Considering, the power it gives, the bug is remarkably simple, described by security experts as a "howler" and "embarrassing". Those with root access can do more than a normal user, such as read and write the files of other accounts on the same machine. A super user could also delete crucial system files, rendering the computer useless - or install malware that typical security software would find hard to detect. 

Typically, the bug cannot be exploited remotely, meaning for most users the threat only exists if a malicious person has physical access to the machine. That said, if remote access has been granted to the computer for some other reason, such as offering tech support, then the flaw could be executed using that connection.

The timing of the disclosure presents a major issue to Apple as it now must hurriedly put in place a fix before the vulnerability can be exploited by criminals. 

"Haste and security don’t make good bedfellows,” said Prof Alan Woodward from the University of Surrey
"They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it."
While Apple works on its fix, it offered a workaround for users concerned about the bug. “Setting a root password prevents unauthorised access to your Mac,” the company explained. "To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. 

"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

For those not confident enough to change system settings like this, security experts advise simply - don't let your Mac out of your sight, and be sure to apply the system update when prompted.

Krebs On Security:        BBC

You Might Also Read: 

The Death of the Password Is Upon Us:

Apple's Driverless Cars:

Is Apple Abandoning Macs?:

 

« N. Korea Is Ready For Global Cyber Conflict
Cyber Criminals Stealing Reward Points & Air-Miles »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Rollbar

Rollbar

Rollbar is a full-stack error monitoring platform for web and mobile applications. We help developers find and fix bugs fast. Built by developers for developers.

NLnet Labs

NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as security in the area of DNS and inter-domain routing.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

La Fosse Associates

La Fosse Associates

The InfoSec Recruitment team at La Fosse Associates specialises in placing Information Security & Risk professionals on a permanent and contract basis.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

SecureAge Technology

SecureAge Technology

We’re a rapidly growing cybersecurity company with an 18-year history of ZERO Data breaches. Our security solutions place security and usability on equal footing. Learn more about our technology.

Precursor Security

Precursor Security

Precursor Security are information security specialist, delivering all aspects of Security testing, Cyber Risk Management, and Continuous Security Testing.

nexSecurity

nexSecurity

neXSecurity is an IT and Information security consulting company with more than 2 decades worth of software development and security experience.

Qascom

Qascom

Qascom is an engineering company offering security solutions in satellite navigation and space cybersecurity. We are one of the European key players in GNSS authentication and security.

Vantage Point Security

Vantage Point Security

Vantage Point are specialists in penetration testing and application security with a focus on the industries undergoing rapid digital transformation.

ASMGi

ASMGi

ASMGi is a managed services, security and GRC solutions, and software development provider.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

IMC2 brings together resources to carry out ambitious, innovative and multidisciplinary projects in the field of cybersecurity and cyber resilience.

Automotive Information Sharing & Analysis Center (Auto-ISAC)

Automotive Information Sharing & Analysis Center (Auto-ISAC)

Auto-ISAC provides a forum for companies to analyze and identify threats sooner and share solutions that enhance vehicle cybersecurity.

SecureFlag

SecureFlag

SecureFlag is dedicated to enhancing secure coding across all technical profiles within the Software Development Lifecycle.