Well, to their credit, it didn’t take Apple long to fix their horrendous bug that allowed *anyone* to log into computers running macOS High Sierra with admin rights, without needing to know a password.
The security update – which Apple advises should be installed “as soon as possible” – is being pushed out via the Mac App Store.
Here is how Apple is describing the vulnerability:
Directory Utility
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
To install the security update, simply open Mac App Store and click on the “Updates” tab. All you have to do then is click on “Update”, and you’ll be sorted.
Kudos to Apple for readying a fix so quickly, but a security hole as big as this should never have got past quality control in the first place.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 54: A Great Big Fat macOS Bug with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 54, a special bonus podlet of Smashing Security. And I am joined by Carole Theriault. Hello, Carole. Why are we chatting today?
Why are we releasing a podcast on a Wednesday, for goodness sake?
Hello, hello, and welcome to Episode 54, a special bonus podlet of Smashing Security. And I am joined by Carole Theriault. Hello, Carole. Why are we chatting today?
Why are we releasing a podcast on a Wednesday, for goodness sake?
Well, there was quite a big Mac snafu that just happened. And we thought we would give some people some advice and some reassurance at this stage.
It's pretty bad.
I think this is of interest if you're an Apple user, obviously, because of the security vulnerability, but it's also of interest, I think, if you're a Windows user, because this is a great excuse to feel really, really smug about running Windows rather than Apple Macs.
I think this is of interest if you're an Apple user, obviously, because of the security vulnerability, but it's also of interest, I think, if you're a Windows user, because this is a great excuse to feel really, really smug about running Windows rather than Apple Macs.
I'm not sure I'd agree with that. Yeah, it's still a big deal though.
Sometimes Windows users, they need an excuse to feel smug compared to those Apple-using polo-neck-wearing.
Hey, I'm glad they exist. They keep the whole market a bit more heterogeneous.
Yeah, well, long word, Carole, for a Wednesday morning.
Well, glad I impressed.
Let's describe exactly what has happened. A Turkish developer, his name is Lemi, or can't be Lemi from Motörhead, surely.
Lemi or Liman Ergin, he found a colossal security hole in the latest shipping version of macOS, also known as High Sierra 10.13.
What it means is that anyone can log in to a Mac computer and have access to admin rights.
So they're logging in with basically godlike admin rights to the computer without a password. You can just type in your username as root, hit enter a few times, and you get in.
Lemi or Liman Ergin, he found a colossal security hole in the latest shipping version of macOS, also known as High Sierra 10.13.
What it means is that anyone can log in to a Mac computer and have access to admin rights.
So they're logging in with basically godlike admin rights to the computer without a password. You can just type in your username as root, hit enter a few times, and you get in.
Whoa, whoa, whoa though, Graham. I'm under the impression that the root account is actually disabled by default on a Mac.
So surely this is only going to impact those that have enabled their root account.
So surely this is only going to impact those that have enabled their root account.
Ah, well, yes, you're right.
The root account is disabled, but it appears that this vulnerability means that if you type in your username as root, it kind of re-enables the root account, which by default has no password.
And so you get in. It's absolutely—
The root account is disabled, but it appears that this vulnerability means that if you type in your username as root, it kind of re-enables the root account, which by default has no password.
And so you get in. It's absolutely—
Whoa! Yeah. This is much bigger than I thought.
Right. So, I mean, it's extraordinary. And this isn't the first kind of snafu which Apple has had regarding logging in and passwords, etc.
Just a couple of months ago, there was a security hole which would display users' actual passwords if you clicked on the "Give me the password hint" button.
Just a couple of months ago, there was a security hole which would display users' actual passwords if you clicked on the "Give me the password hint" button.
Yeah.
So rather than the hint, it would display the actual password.
Yeah.
So Apple keep on goofing up. So how could this be exploited? Well, imagine this.
Imagine you're working in an office, you're lucky enough to have Apple Macs, and you go away for lunch for your lovely tuna sandwich and someone comes by your desk, maybe your arch rival in the office.
Everyone has an arch rival, don't they? A nemesis.
Imagine you're working in an office, you're lucky enough to have Apple Macs, and you go away for lunch for your lovely tuna sandwich and someone comes by your desk, maybe your arch rival in the office.
Everyone has an arch rival, don't they? A nemesis.
I get on with everybody.
Okay. Lucky you. Anyway, so someone comes along and thinks, oh, I'll just log into Graham's computer.
And even if I've locked the computer, they can say, actually, I want to log in as root. Dink, dink, dink, dink, dink. And in they go.
And they've got the rights to do whatever they like. They can change passwords. They can install malware to spy upon you. Any kind of mischief.
And even if I've locked the computer, they can say, actually, I want to log in as root. Dink, dink, dink, dink, dink. And in they go.
And they've got the rights to do whatever they like. They can change passwords. They can install malware to spy upon you. Any kind of mischief.
Yeah. They become a god of your computer effectively, if they can get into the root.
Right. Now, at first, when I heard about this, I thought, well, at least you have to have physical access to the computer, but it turns out that that isn't the case.
Some researchers have already discovered that it is possible. There are scenarios where it is possible to exploit this flaw remotely.
So if, for instance, you've set up your Apple Mac to allow access via VNC or Apple Remote Desktop, people can do this as well.
Furthermore, if you've ever been irritated, you know, when you go into System Preferences and you change some settings on your Mac and it says, oh, you're gonna have to enter an admin username and password and you're like, oh, what's the admin username and password?
Well, worry no longer because all you have to do is type in root as your username and click OK and off you go.
So people are able to basically elevate their permissions on the computer and cause all kinds of mayhem.
Some researchers have already discovered that it is possible. There are scenarios where it is possible to exploit this flaw remotely.
So if, for instance, you've set up your Apple Mac to allow access via VNC or Apple Remote Desktop, people can do this as well.
Furthermore, if you've ever been irritated, you know, when you go into System Preferences and you change some settings on your Mac and it says, oh, you're gonna have to enter an admin username and password and you're like, oh, what's the admin username and password?
Well, worry no longer because all you have to do is type in root as your username and click OK and off you go.
So people are able to basically elevate their permissions on the computer and cause all kinds of mayhem.
So the advice here is not for people to disable their root, but it's to add a password to their existing, maybe never used root account so that if someone tries to infiltrate their computer, they will need to know the password to get in via that account, that root account.
Most Mac users will never ever have any reason to use the root account, okay? They've set up their own admin accounts, or maybe their IT team are using admin accounts instead.
So what you should do is you should change your root password, and you could make it completely and utterly random.
So what you should do is you should change your root password, and you could make it completely and utterly random.
Well, add and create one because most people will not have a password there.
So change it from the default, which is how it ships, and that way people won't be able to gain access to your Mac.
And we will put in a link in the show notes where you can go to the Apple support knowledge base article where they tell you how to change the root password.
And the other thing is, of course, Apple is working on a fix. I would imagine that they're going to push it out quite quickly.
And when you see that popping up on your screen, update your Macs because this obviously isn't good enough.
And we will put in a link in the show notes where you can go to the Apple support knowledge base article where they tell you how to change the root password.
And the other thing is, of course, Apple is working on a fix. I would imagine that they're going to push it out quite quickly.
And when you see that popping up on your screen, update your Macs because this obviously isn't good enough.
Everybody with a Mac should do this. And there's some really good instructions that we'll give you. So it's really step-by-step. I've done them and, you know, it took me 30 seconds.
Cool. But the bigger story here, though, maybe is, I mean, this is very embarrassing, but what does this say about Apple's quality control?
Oh, stop it. Apple, I think Apple's quality control is pretty darn high. And I don't know, maybe I've been drinking the Kool-Aid too long.
But at the moment, I'm feeling assured that this has not yet been exploited in the wild.
And I'm hoping Apple are going to fix this at double quick time and that everything is going to go back to normal.
But at the moment, I'm feeling assured that this has not yet been exploited in the wild.
And I'm hoping Apple are going to fix this at double quick time and that everything is going to go back to normal.
Well, you say that, Carole, but fascinatingly, if you go to the Apple Developer Forums, there were people who were asking questions a couple of weeks ago saying, "Oh, I'm having a problem doing this on my Mac." And there were people saying, "Oh, there's a way of getting around that.
All you have to do is type in a username of root and not enter any passwords." So this has been knowledge to some people for a few weeks and they have been using it maybe for good.
Who knows if it's been done for bad as well? Hard to say.
But I do wonder whether if control freak Steve Jobs was still in charge, whether, you know, he would be ripping people to shreds about a bug like this. Yes, wouldn't he?
I doubt he'd be terribly calm and pouring people a nice cup of tea and say, "Oh, these sort of things happen to anybody." Yeah, well, you know, RIP. Well, obviously.
Although I said at the beginning, you know, Windows users can feel smug, I think every company needs to be a little bit careful about bugs like this.
They can creep in all too easily if you're not doing thorough enough quality control, then bugs can appear in your software just like they have in macOS.
So our advice, change your root password, and when Apple push out a patch, apply that patch as soon as you can.
All you have to do is type in a username of root and not enter any passwords." So this has been knowledge to some people for a few weeks and they have been using it maybe for good.
Who knows if it's been done for bad as well? Hard to say.
But I do wonder whether if control freak Steve Jobs was still in charge, whether, you know, he would be ripping people to shreds about a bug like this. Yes, wouldn't he?
I doubt he'd be terribly calm and pouring people a nice cup of tea and say, "Oh, these sort of things happen to anybody." Yeah, well, you know, RIP. Well, obviously.
Although I said at the beginning, you know, Windows users can feel smug, I think every company needs to be a little bit careful about bugs like this.
They can creep in all too easily if you're not doing thorough enough quality control, then bugs can appear in your software just like they have in macOS.
So our advice, change your root password, and when Apple push out a patch, apply that patch as soon as you can.
Yes. And Apple, get it out double quick time. This is a biggie.
And we'll be back sooner than you can imagine with a regular episode with all of the goodies, including— we've got no pick of the weeks this week, have we?
Was that a cat meowing in your background?
Was that a cat meowing in your background?
Yes, it's breakfast time.
See ya.
So I better go. Bye.
Bye.
Clearly the Apple chimpanzees were concentrating too much on their latest Shakespearean pastiche!
Appears the 'fix' breaks file sharing for some
https://www.theguardian.com/technology/2017/nov/30/apple-macos-high-sierra-fix-breaks-file-sharing-password-security-flaw-emergency-patch
I don't see how what is described is possible because when you try to log in to a locked mac you cannot enter an arbitrary username – you have to click on an icon for a username. If you have enabled the root user then you get an "other" icon to click on and then you can enter username/password, but if the root user is disabled then you don't get that option. I tried all kinds of things but was unable to get the login prompt for a username. Did I miss something?
If you're not seeing it at the login prompt then just wait until you try to do something which requires elevated privileges after you've logged in. For instance, tinkering with preferences or installing an application.
At that point you're asked to enter credentials with admin privileges and this "root" trick could have been used.