Posted on 11/28/2017 2:59:34 PM PST by grey_whiskers
Update: Apple has acknowledged the issue and is working on it. Statement and workaround below.
Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours, but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.
(Excerpt) Read more at techcrunch.com ...
It was not true then and it is even less true now. You are not going to get an apology for your wrong conclusions then and your smugness claims we were wrong then. OSX/macOS has been in the wild essentially since 1998 when it was released first as a server version and there are STILL ZERO viable computer viruses for it twenty years later. . . and you are still singing the same hackneyed tune about security by obscurity you were singing way back then.
On the internet, nothing is obscure; everything is as close as next door, and as easy to find because everything is connected. In 2004, there were 12,000 PCs that were vulnerable to the Witty Worm spread all over the world, and within 3 ½ minutes 750 vulnerable PCs had been infected, and all 12,000 were infected within 45 minutes, no matter where they were in the world. THOSE computers were obscure. . . but they were easily infected by a simple virus for which the defense had ALREADY been created six months before it was created!
You've been told this all before, yet you continue to spout your canard about Macs that FAR OUTNUMBER those vulnerable PCs that were hit by the Witty Worm. . . which were all protected by third-party antivirus programs. Viruses were written for devices that had fewer than 20 vulnerable devices in the world. . . but YOU think that someone somewhere is not interested in writing malware that can't get into over 150,000,000 or more Macs that are mostly running bare naked of ANY ANTIVIRUS at all except what Apple builds into its operating system. You are delusional in your Apple user hatred because we tell you the truth which YOU can't handle.
The one single MacBot supposedly found in the wild about eight years ago, claiming to involve over 600,000 Macs which kept shrinking as more and more people reported NOT finding the Trojan JAVA script infected Macs, turned out to be a hoax perpetrated by a Russian Antivirus vendor wanting to sell a new Mac antivirus for business use. Two years later the same company claimed to have found another MacBot, this time of only 20,000 Mac, when they started to sell their consumer level anti-virus. . . but it too was a hoax.
In NEITHER case were any members of these MacBots ever found in the wild... even ones the Russian company claimed whose UUID matched as being in the bots, were found. In fact, the list of numbers in some instances belonged to Macs that had yet to be sold, and many had not yet been manufactured! The list of "Infected computers" was bogus. Two of the listed UUIDs supposedly infected Macs were in my office. . . but to be infected they had to have JAVA installed; but neither of the computers in my office had ever had JAVA installed, nor was there any sign of the "Infection."
No, you have not. You just found another antiApple Troll making the claim. . . which we pointed out to you, and you refused to recognize that person as what he was, insisting he was a "fanboi" when he clearly was not, choosing to ignore the multiple citations of his calling Apple users the same names you used.
That really is a nit, dayglored.
No, actually a TROJAN can't turn off the pre-emptive protections UNTIL AFTER you install it. Once you do that, of course it can do damage to the USER'S Partition. . . or post installation, turn off the systems protections. BUT IT FIRST HAS TO BYPASS the built-in anti-TROJAN software that will warn you THREE TIMES that the software contains a TROJAN that is DANGEROUS AND/OR DESTRUCTIVE TO YOUR SYSTEM. It will alert you on DOWNLOAD, then again on INSTALL, and then once again when you try to RUN IT THE FIRST TIME. Only after all of those things are done and APPROVED as an Administrator (Ignoring all those warning Alerts) can it ever shut off the system protections.
Installing a third party antivirus offers no such warnings, unless it's in the fine print. They do it during the startup procedure when the computer restarts after installation! These antivirus programs as a rule require installation from the ADMIN partition. . . which is another animal. . . and they install pieces of themselves in the start-up libraries. They bolt-themselves into the OS by disabling and replacing the Apple intended blockade. . . so their applications can intercept and inspect what Apple will block from ever reaching them. That is their failing philosophy.
Apple did not provide the API. That's why the 3rd party antivirus on the Mac IS bolted on. If you want to run one, don't install one that runs in the background. Get one you choose to run from time to time that does a scan on your schedule, not automatically, which looks at your HD for anything that might have slipped through. The only thing they usually find are Windows viruses and malware in the email or graphic files that won't touch a Mac.
Just tried it on mine - 10.13.1 - and this exploit doesn’t work. Must already be rooted ;-)
Yeah - was teaching Microsoft Server and some specific networking functions for a while - called them “Undocumented Features”.
See there you go again.... Twisting facts to tell more lies.
The fact that no one was attacking them because the target was so small is obscurity. You admit that then you change the definition to suit your needs.
Years ago, Mac security was the result of two factors: 1) a secure design based on UNIX, and 2) relative obscurity, such that it wasn't a favorite target like Windows.
In recent years, the obscurity has disappeared. Hackers target MacOS with Trojans and other attacks that are directed at the USER. Note that word, fqc... USER. Because the user is the weak link on a Mac.
The MacOS operating system security remains solid (modulo stupid errors like the one of this thread) because of its DESIGN. The dearth of successful external attacks on the system itself (without the user doing something) demonstrates this.
I'm not "twisting facts". The above ARE the facts, just as I stated them earlier.
So what do you do if you’re an only user and have to be administrator? - kitkat (May, 2011)You don't have to be the administrator even if you are the only user. Go into system preferences, select Accounts, create a new administrator user (give it an imaginary, difficult but memorable name such as "Senat0rF0gh0rnLegh0rn" [those are zeros where the 'Os' are, just don't use "Admin"!], and a hardened password that you won't forget), make that account an administrator. Turn on Fast User Switching in Login Options (that's at the bottom of the user list)... with the Name option selected. I'd turn off Automatic login. Now Log Off your account. Log into the new Administrator. Change your usual account to Standard User. Lock the Accounts Pane by clicking on the padlock in the lower left corner. Log Off the new Administrator account…Log back into your usual account and continue your usual operations. You can still add software and install stuff, but you will have to provide the new Administrator name and password when you need to do that... a much safer way of operating. You can always switch to the Administrator for long jobs requiring administration by clicking on your name on the upper right of the menu bar and selecting the Admin account... and logging on. Always remember to log off the Admin account when not using it.
posted on 5/6/2011 by Swordmaker
We never say Apple is perfect. We do, however, push back against baseless accusations.
Yes, this case is a bad mistake. It’s focused, it will be fixed and an update issued fast.
We’ve seen striking mistakes from Apple before. They were fixed pronto, and not mitigated into ongoing chronic ailments (like Windows suffered for decades).
What’s striking is how y’all keep coming into these threads just to wantonly badmouth others. Not sure why you enjoy slander so much.
The operating system is configured such that nobody should ever need log in as root per se. As such, it’s easy to overlook the need to check such access from contexts that don’t apply. Looks stupid in retrospect, but as a software developer I’ve seen such mistakes many times.
bttt
“vi” is the center of “evil”.
When someone on your side eloquently tells you to shut up, maybe you should.
Podesta was helping them with security.
There YOU go again telling more lies. There were lots of people attacking OSX trying to be the first to create a virus for the Mac. They failed. There were thousands of attempts. . . and thousands of failures. No one was going to leave tens of millions of bare naked computers of people with MORE MONEY than PC users un-attacked just because YOU thought they were "obscure."
These same hackers went are the people who after 12,000 PCs that were vulnerable by writing the Witty Worm virus. . . why would they NOT go after the then 60,000,000 vulnerable and target RICH environment of the Apple Macs where 99%, some 59,400,000 bare naked computers, were running without firewalls and without antivirus software? This was a time that a mere 2000 computers in a bot was worth $50,000 for just a two week window of use on the black market. . . and you think it was NOT WORTH GOING AFTER 60 million supposedly vulnerable computers that were in no way protected by antivirus programs because they were, in your word "obscure?" That is the LIE.
They did not go after the Mac because they could not crack it. It had literally had no vectors of attack.
Apple has released the fix for this vulnerability on Wednesday, November 29, 2017.
http://www.freerepublic.com/focus/chat/3608949/posts?page=2
It does not even require a system restart. . . and in fact is likely to install without interaction. I have just tested this update and it works as required. The problem is solved and is now a non-issue.
Exactly security by obscurity. Thanks for playing.
I’m on the side of security. I have yet to have someone from that side say such words to me.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.