Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

Skip to comments.

Huge security flaw lets anyone log into a High Sierra Mac
Tech Crunch ^ | Nov 28 2017 | Kevin Coldewey

Posted on 11/28/2017 2:59:34 PM PST by grey_whiskers

Update: Apple has acknowledged the issue and is working on it. Statement and workaround below.

Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours, but holy moly. Do not leave your Mac unattended until this is resolved.

The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.

(Excerpt) Read more at techcrunch.com ...


TOPICS: Business/Economy; Computers/Internet; Conspiracy; Hobbies
KEYWORDS: apple; applemac; bugs; highsierra; mac; macbug; macsecurity; root; timcook; wherethehellwasqa
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 101-103 next last
What H1-B with an IQ of 350 OK'd *this* one?

Who needs Chinese hackers?

1 posted on 11/28/2017 2:59:34 PM PST by grey_whiskers
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

*PING*


2 posted on 11/28/2017 3:00:01 PM PST by grey_whiskers (The opinions are solely those of the author and are subject to change without notice.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

Awesome - I just downloaded this update last week, but didn’t have enough time to remove some stuff I was working on, so I didn’t have room to install it. Now I have a good reason to wait.


3 posted on 11/28/2017 3:03:43 PM PST by reed13k
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers
Image result for its not a bug its a feature
4 posted on 11/28/2017 3:05:11 PM PST by Responsibility2nd
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers
Root-boy Slim anyone? d;^)
5 posted on 11/28/2017 3:20:08 PM PST by CopperTop (Outside the wire it's just us chickens. Dig?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

But the Apple fan bois on FR told us that Apple is perfect.


6 posted on 11/28/2017 3:27:50 PM PST by PAR35
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

I’ve had this update for awhile now.
I remember there was another update to it immediately following the original and I suspect that second one fixed this.
I just tried it on my machine. Went to preferences, security and tried unlocking the padlock with “root”. It would not let it enter. Using my username and password would.


7 posted on 11/28/2017 3:28:33 PM PST by lgjhn23 (It's easy to be liberal when you're dumber than a box of rocks.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

Wow... Good thing this wasn’t Microsoft that did it or that would be bad news. Apple fanboys will just consider it a nice feature and thank apple for the easy root.

On a serious note how the hell does this happen? Buffer overruns I understand but just typing root gives you root??? This is serious bad coding, quality review, security design, and leadership.


8 posted on 11/28/2017 3:28:57 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: PAR35

Yep this is only possible in windows. Plus since no one reported actually exploiting this issue that means it doesn’t count.

Apple logic


9 posted on 11/28/2017 3:31:37 PM PST by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 6 | View Replies]

To: grey_whiskers

I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.


10 posted on 11/28/2017 3:39:10 PM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

I’m running 10.13.1 and this bug doesn’t seem to affect me. Perhaps it only affects certain models? In any event Apple should sort it out soon. Agree this is something that never should have gotten out the door.


11 posted on 11/28/2017 3:49:56 PM PST by AustinBill (consequence is what makes our choices real)
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user
Has Apple abolished root and required all users with root privileges to sudo? The root account exists (it has to as uid 0, if not explicitly) but is disabled except through sudo.

I tried out this vulnerability on my iMac. Did not exist here. The root account was disabled, as it should be.

12 posted on 11/28/2017 3:58:16 PM PST by IndispensableDestiny
[ Post Reply | Private Reply | To 10 | View Replies]

To: grey_whiskers

What happens if you type in poop?


13 posted on 11/28/2017 4:05:07 PM PST by ImJustAnotherOkie
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

This has to be fake news. I am sure someone will be along shortly to wave their hands and tell you it is all just an illusion of old and out of date info.


14 posted on 11/28/2017 4:08:56 PM PST by mad_as_he$$
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton
You just don't see the beauty and innovation in this feature.

/sarc for them who needz it

15 posted on 11/28/2017 4:34:27 PM PST by Rashputin (Jesus Christ doesn't evacuate His troops, He leads them to victory !!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: grey_whiskers; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; ..
MAJOR OOPS in MacOS HIGH SIERRA, if an Administrator skips a step in creating a ROOT USER and fails to create the Root User password, which should NOT BE POSSIBLE. . . but in MacOXS 10.13.1 High Sierra it somehow was allowed to do so, . . the Root User can be created as "ROOT" or "root", without a password, just as any standard user can be created without a password, allowing anyone to log in with Root User permissions, by just typing in "root" at a user prompt! NOT GOOD. However, if the password IS input, it is secure. It DOES have to be done by an Administrator level user. The flaw is not REQUIRING a password before ROOT is enabled. Apple will push out a fix for this fast. . . It's a hard flaw to notice. . . but someone did. — PING!


Apple macOS 10.13.1
ROOT USER
PASSWORD CREATION
VULNERABILITY
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

16 posted on 11/28/2017 5:09:02 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.

Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.

It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.


17 posted on 11/28/2017 5:19:10 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release.

Someone will be fired.

18 posted on 11/28/2017 5:33:55 PM PST by Menehune56 ("Let them hate so long as they fear" (Oderint Dum Metuant), Lucius Accius (170 BC - 86 BC))
[ Post Reply | Private Reply | To 17 | View Replies]

To: PAR35
But the Apple fan bois on FR told us that Apple is perfect.

No, we have never said that. That was the anti-Apple people putting that claim in our mouths. We've just said that it was more secure which is still true. This is a minor kerfuffle that is only a risk if one doing it is an administrator and has physical access and it will be closed with a minor update to fix something that was overlooked in this update by someone who was working on this section.

19 posted on 11/28/2017 5:49:19 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: proxy_user
I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.

No, but Apple requires the creation of a ROOT level above Admin. . . which is what this is about. Normally it requires that the Admin user creates a ROOT password with the activation of the ROOT ability. Someone forgot to turn that requirement back on.

In addition, there is now a new level ABOVE ROOT in Apple Macs that requires an additional factory set password to make specific system changes that even ROOT USERS cannot alter without invoking that special password. This is to prevent even a ROOT user from doing system damage or an outsider using a ROOT access from hiding a ROOT KIT.

20 posted on 11/28/2017 5:54:52 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 10 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 101-103 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson