This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.
Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Someone will be fired.
Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Well, as long as they don't hire John Podesta...or the Awan brothers.
Yes, it’s stupid, but it’s more than an oversight.
First, someone (presumably an engineer debugging something) disabled a security feature, but they failed to revert it when they were done, and they committed the change to the source repo. Well, that’s bad. But sh*t happens, bad commits do happen. It was not terrible at this level — it should have gotten caught and corrected at the next level.
Then at the next level, whoever was supposed to review commits missed it. That’s worse than the original mistake. The error became considerably worse because now it’s assumed to be okay.
Then the error was built into the release, and QA failed to test for it. This is egregious. QA shouldn’t have to find this kind of error — you can’t “test software until it works”. But even so, this wasn’t a difficult bug to exercise, if you have the resources of Apple. My God, they’ve got hundreds of QA people, they’ve got automated testing setups. But still, QA didn’t find it.
More than an oversight. This was a systemic failure of the first order.
BTW, I’ve done professional industrial strength software testing since the late 1970’s, so I get to be a little righteous about this one. I’m very disappointed in Apple and I expect them to fire a few people over this.