SoylentNews
SoylentNews is people
https://soylentnews.org/breakingnews/

Title    Apple Creates Ridiculous Security Hole in MacOS High Sierra; Patch is Available
Date    Thursday November 30, @07:56AM
Author    martyb
Topic   
from the Security?-We-don't-need-no-steenkin-security! dept.
https://soylentnews.org/breakingnews/article.pl?sid=17/11/29/2342231

Absolutely.Geek writes:

You can log in as root on the latest version of MacOS by pressing enter on the login prompt a few times. Just type in root as the user and press enter. There you go no password required.

Not sure what else to say; is this the stupidest massive security hole ever?

From Extreme Tech:

Reproing the bug is simple (at least until Apple fixes it): Type the login "root," then move the cursor into the password field and hit enter several times. It also apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.

This was also reported at Ars Technica. Beware that the behavior seems to be that if you do not already have a root account with a (preferably strong) password, this bug essentially creates a root account with an empty password. Attempting this on your own system should be followed up by ensuring that any root a count has a strong password.

There is a patch that has just been made available; again according to Ars Technica:

Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in "root" as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.

Apple's brief notes for this security update (Security Update 2017-001) explain the bug by saying, "A logic error existed in the validation of credentials," and claims the problem has been addressed "with improved credential validation."


Original Submission

Links

  1. "Absolutely.Geek" - mailto:adam.bullen@gmail.com
  2. "Extreme Tech" - https://www.extremetech.com/computing/259613-huge-macos-high-sierra-security-flaw-allows-admin-logins-no-password
  3. "Ars Technica" - https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/
  4. "Ars Technica" - https://arstechnica.com/gadgets/2017/11/new-security-update-fixes-macos-root-bug/
  5. "notes" - https://support.apple.com/en-us/HT208315
  6. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=23595

© Copyright 2018 - SoylentNews, All Rights Reserved

printed from SoylentNews, Apple Creates Ridiculous Security Hole in MacOS High Sierra; Patch is Available on 2018-01-20 09:11:55