Urgent Apple Security Update
Ping!
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Posted on 11/29/2017 8:45:14 AM PST by Swordmaker
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, you can enable the root user and change the root user's password.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
This update applies only to users who have installed macOS 10.13.1 High Sierra on their Macs.
Thanks I just updated my iMac.
It does not even require a system restart. . . and in fact is likely to install without interaction. I have just tested this update and it works as required. The problem is solved and is now a non-issue.
Thanks Sword. Looks like I’m still running 10.12.4
Thanks, Swordmaker!
I wish you and yours a very Merry Christmas!
S + SJ
If so we are safe, and will update after the mad rush is over.
My GUESS is that someone in the testing group failed to remove this obvious universal access before the ‘Gold Master’ was assembled! What a rotten egg in face, but it will be a red-letter item for all future releases!
If one can VPN or otherwise access to an ‘on’ and on-line machine, then doing the ‘root’ logon might be possible. The update takes less than a minute on my 2014 iMac without any need to reboot!
macOS root login vulnerability was shared over two weeks ago as a troubleshooting tip on Apple's own developer forumsNote: it's Reddit, so caveat emptor.https://www.reddit.com/r/programming/comments/7gb191/macos_root_login_vulnerability_was_shared_over/
Thanks for the PING Swordmaker!
And thanks to Apple for patching so quickly.
I wouldn't even couch it in terms of a "vulnerability" being shared. . . but rather as a developer sharing a "cool way" for another developer to get to an Admin account who had screwed up their Admin user account. This particular developer seemed oblivious that what he had actually stumbled across was in fact a very serious vulnerability to the Mac's security.
Note: it's Reddit, so caveat emptor.
Yup, it's Reddit, so they paint it with the broadest, blackest brush they can find with the stickiest tar available.
I read through all 225 responses in the Apple Developers' Forum in question and discovered that the vulnerability in question was not actually reported to Apple but rather, as you pointed out, just "shared" as a cool "fixit tip" to access an admin account, presented to a user who had, it turned out, accidentally screwed up their Admin user's credentials. This particular tip was buried about four nest's deep in a series of "tips" for the user to try. The guy who offered it did not even realize that it provided Root access, but just thought it made the person signing on using this tip an Admin.
It is not, however, one of the Apple moderated forums. It is purely a developers' forum for seeking other developers' comments and their experiences in how developers have handled particular problems they may be having with a problem, not Apple's help. There is another area for that. As I understand it, Apple employed engineers do not participate because of potential liability in these forums due to the possibility that some developer is working on an App that Apple may also be developing an in house version.
Unless this was specifically brought TO Apple's attention, it is unlikely Apple would have seen it in this forum.
A couple of developers commented that it appeared to be a serious security concern that one could get to Root without a password and that shouldn't happen. . . but no one mentioned anything about bringing it properly to Apple's attention back in mid-November. I suspect they'd all forgotten that the forum was not an observed, moderated forum.
Merry Christmas back at both of you, too . . .
Yes, but someone tried to claim not. It can only be done at the keyboard. It could be avoided by enabling Root yourself and adding a complex password of your own choice. Then it won't work.
You are not at risk from this idiotic vulnerability.
update prevailed .....all good.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.