Apple Must Fix Its Embarrassing Password Bug

Uploaded on 2017-11-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A newly-discovered flaw in macOS High Sierra, Apple’s latest iteration of its operating system, allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. 

Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.


Apple has said it is working to fix a serious bug within its Mac operating system.  The flaw in MacOS High Sierra, the most recent version, makes it possible to gain entry to the machine without a password, and also have access to powerful administrator rights. “We are working on a software update to address this issue,” Apple said in a statement. 

The bug was discovered by Turkish developer Lemi Ergin. He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine. 

Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals. Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public. 

Apple would not confirm or deny whether it knew about the flaw beforehand. However, flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat.

The Exploit
Considering, the power it gives, the bug is remarkably simple, described by security experts as a "howler" and "embarrassing". Those with root access can do more than a normal user, such as read and write the files of other accounts on the same machine. A super user could also delete crucial system files, rendering the computer useless - or install malware that typical security software would find hard to detect. 

Typically, the bug cannot be exploited remotely, meaning for most users the threat only exists if a malicious person has physical access to the machine. That said, if remote access has been granted to the computer for some other reason, such as offering tech support, then the flaw could be executed using that connection.

The timing of the disclosure presents a major issue to Apple as it now must hurriedly put in place a fix before the vulnerability can be exploited by criminals. 

"Haste and security don’t make good bedfellows,” said Prof Alan Woodward from the University of Surrey
"They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it."
While Apple works on its fix, it offered a workaround for users concerned about the bug. “Setting a root password prevents unauthorised access to your Mac,” the company explained. "To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. 

"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

For those not confident enough to change system settings like this, security experts advise simply - don't let your Mac out of your sight, and be sure to apply the system update when prompted.

Krebs On Security:        BBC

You Might Also Read: 

The Death of the Password Is Upon Us:

Apple's Driverless Cars:

Is Apple Abandoning Macs?:

 

« N. Korea Is Ready For Global Cyber Conflict
Cyber Criminals Stealing Reward Points & Air-Miles »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

Cleo

Cleo

Cleo is a leader in secure information integration, enabling both ease and excellence in business data movement and orchestration.

Hitachi ID Systems

Hitachi ID Systems

Hitachi ID Systems offers comprehensive identity management and access governance, privileged access management and password management solutions.

The Data Privacy Group

The Data Privacy Group

The Data Privacy Group provide expert professional services underpinned by world leading automation tools and a consulting team specialized in privacy and data protection.

limes datentechnik

limes datentechnik

limes datentechnik is an authority in the fields of cryptography and data compression. The FLAM product family is an internationally accepted standard for efficient and safe handling of data.

US Venture Partners (USVP)

US Venture Partners (USVP)

USVP is a leading Silicon Valley venture capital firm focusing on early-stage start-ups that transform cybersecurity, enterprise software, consumer mobile and e-commerce, and healthcare.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Citalid

Citalid

The Citalid cyber risk management platform combines threat and business intelligence to identify the risks scenarios you face.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

WireGuard

WireGuard

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs).

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.

E-CQURITY (ECQ)

E-CQURITY (ECQ)

ECQ is a network security company offering offensive security services and solutions focused on active offensive and defensive positioning.

Affinity Technology Partners

Affinity Technology Partners

Affinity Technology Partners has been fueling the growth of Nashville, Tennessee businesses and nonprofits with reliable IT services since 2002.

FatPipe Networks

FatPipe Networks

FatPipe’s network optimization solutions along with robust native security and SASE-based protection provides organizations all they need for super network performance and security.