Huge security flaw lets anyone log into a High Sierra Mac

Tech Crunch ^ | Nov 28 2017 | Kevin Coldewey

[grey_whiskers]

What H1-B with an IQ of 350 OK'd *this* one?

Who needs Chinese hackers?

[grey_whiskers]

*PING*

[reed13k]

Awesome - I just downloaded this update last week, but didn’t have enough time to remove some stuff I was working on, so I didn’t have room to install it. Now I have a good reason to wait.

[Responsibility2nd]

[CopperTop]

Root-boy Slim anyone? d;^)

[PAR35]

But the Apple fan bois on FR told us that Apple is perfect.

[lgjhn23]

I’ve had this update for awhile now.
I remember there was another update to it immediately following the original and I suspect that second one fixed this.
I just tried it on my machine. Went to preferences, security and tried unlocking the padlock with “root”. It would not let it enter. Using my username and password would.

[for-q-clinton]

Wow... Good thing this wasn’t Microsoft that did it or that would be bad news. Apple fanboys will just consider it a nice feature and thank apple for the easy root.

On a serious note how the hell does this happen? Buffer overruns I understand but just typing root gives you root??? This is serious bad coding, quality review, security design, and leadership.

[for-q-clinton]

Yep this is only possible in windows. Plus since no one reported actually exploiting this issue that means it doesn’t count.

Apple logic

[proxy_user]

I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.

[AustinBill]

I’m running 10.13.1 and this bug doesn’t seem to affect me. Perhaps it only affects certain models? In any event Apple should sort it out soon. Agree this is something that never should have gotten out the door.

[IndispensableDestiny]

Has Apple abolished root and required all users with root privileges to sudo? The root account exists (it has to as uid 0, if not explicitly) but is disabled except through sudo.

I tried out this vulnerability on my iMac. Did not exist here. The root account was disabled, as it should be.

[ImJustAnotherOkie]

What happens if you type in poop?

[mad_as_he$$]

This has to be fake news. I am sure someone will be along shortly to wave their hands and tell you it is all just an illusion of old and out of date info.

[Rashputin]

You just don't see the beauty and innovation in this feature.

/sarc for them who needz it

[Swordmaker]

MAJOR OOPS in MacOS HIGH SIERRA, if an Administrator skips a step in creating a ROOT USER and fails to create the Root User password, which should NOT BE POSSIBLE. . . but in MacOXS 10.13.1 High Sierra it somehow was allowed to do so, . . the Root User can be created as "ROOT" or "root", without a password, just as any standard user can be created without a password, allowing anyone to log in with Root User permissions, by just typing in "root" at a user prompt! NOT GOOD. However, if the password IS input, it is secure. It DOES have to be done by an Administrator level user. The flaw is not REQUIRING a password before ROOT is enabled. Apple will push out a fix for this fast. . . It's a hard flaw to notice. . . but someone did. — PING!

Apple macOS 10.13.1
ROOT USER
PASSWORD CREATION
VULNERABILITY
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Swordmaker]

This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.

Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.

It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.

[Menehune56]

Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release.

Someone will be fired.

[Swordmaker]

But the Apple fan bois on FR told us that Apple is perfect.

No, we have never said that. That was the anti-Apple people putting that claim in our mouths. We've just said that it was more secure which is still true. This is a minor kerfuffle that is only a risk if one doing it is an administrator and has physical access and it will be closed with a minor update to fix something that was overlooked in this update by someone who was working on this section.

[Swordmaker]

I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.

No, but Apple requires the creation of a ROOT level above Admin. . . which is what this is about. Normally it requires that the Admin user creates a ROOT password with the activation of the ROOT ability. Someone forgot to turn that requirement back on.

In addition, there is now a new level ABOVE ROOT in Apple Macs that requires an additional factory set password to make specific system changes that even ROOT USERS cannot alter without invoking that special password. This is to prevent even a ROOT user from doing system damage or an outsider using a ROOT access from hiding a ROOT KIT.