Apple Must Fix Its Embarrassing Password Bug

Uploaded on 2017-11-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A newly-discovered flaw in macOS High Sierra, Apple’s latest iteration of its operating system, allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. 

Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.


Apple has said it is working to fix a serious bug within its Mac operating system.  The flaw in MacOS High Sierra, the most recent version, makes it possible to gain entry to the machine without a password, and also have access to powerful administrator rights. “We are working on a software update to address this issue,” Apple said in a statement. 

The bug was discovered by Turkish developer Lemi Ergin. He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine. 

Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals. Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public. 

Apple would not confirm or deny whether it knew about the flaw beforehand. However, flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat.

The Exploit
Considering, the power it gives, the bug is remarkably simple, described by security experts as a "howler" and "embarrassing". Those with root access can do more than a normal user, such as read and write the files of other accounts on the same machine. A super user could also delete crucial system files, rendering the computer useless - or install malware that typical security software would find hard to detect. 

Typically, the bug cannot be exploited remotely, meaning for most users the threat only exists if a malicious person has physical access to the machine. That said, if remote access has been granted to the computer for some other reason, such as offering tech support, then the flaw could be executed using that connection.

The timing of the disclosure presents a major issue to Apple as it now must hurriedly put in place a fix before the vulnerability can be exploited by criminals. 

"Haste and security don’t make good bedfellows,” said Prof Alan Woodward from the University of Surrey
"They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it."
While Apple works on its fix, it offered a workaround for users concerned about the bug. “Setting a root password prevents unauthorised access to your Mac,” the company explained. "To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. 

"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

For those not confident enough to change system settings like this, security experts advise simply - don't let your Mac out of your sight, and be sure to apply the system update when prompted.

Krebs On Security:        BBC

You Might Also Read: 

The Death of the Password Is Upon Us:

Apple's Driverless Cars:

Is Apple Abandoning Macs?:

 

« N. Korea Is Ready For Global Cyber Conflict
Cyber Criminals Stealing Reward Points & Air-Miles »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Fortinet

Fortinet

Fortinet is a provider of network security systems. Our products provide protection against dynamic security threats while simplifying the IT security infrastructure.

CQS (Certified Quality Systems)

CQS (Certified Quality Systems)

CQS is an organisation specialising in ISO assessment and certification, including ISO 27001, along with other management system standards.

Gigasoft

Gigasoft

Gigasoft provide secure online data backup & cloud backup services for the education sector and businesses.

SonicWall

SonicWall

SonicWall provide products for network security, access security, email security & encryption.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

Digital Resolve

Digital Resolve

Digital Resolve delivers solutions that help companies maintain trust and confidence through proven and cost-effective fraud-protection and identity intelligence technology.

PeopleSec

PeopleSec

PeopleSec specializes in the human element of cybersecurity with a comprehensive set of services designed to maximize your security by educating your workforce as a whole.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Citadel Cyber Security

Citadel Cyber Security

Citadel is a leading 'One Stop Shop' provider of consulting services in cyber and information security. Our experts operate in hundreds of business organizations in Israel and around the world.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

Appurity

Appurity

Appurity specialises in mobile and application security, delivering comprehensive solutions across all verticals.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

Dig Security

Dig Security

Dig Security offers the first data detection and response (DDR) solution, providing real-time visibility, control and protection of your data assets across any cloud.

Clarity

Clarity

Clarity is an AI cybersecurity startup that protects against deepfakes and new social engineering and phishing attack vectors accelerated by the rapid adoption of Generative AI.