Smashing Security podcast #054: A great big fat macOS bug

Smashing Security, Episode 54: A Great Big Fat macOS Bug with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Episode 54, a special bonus podlet of Smashing Security. And I am joined by Carole Theriault. Hello, Carole. Why are we chatting today?

Why are we releasing a podcast on a Wednesday, for goodness sake?

Well, there was quite a big Mac snafu that just happened. And we thought we would give some people some advice and some reassurance at this stage.

It's pretty bad.

I think this is of interest if you're an Apple user, obviously, because of the security vulnerability, but it's also of interest, I think, if you're a Windows user, because this is a great excuse to feel really, really smug about running Windows rather than Apple Macs.

I'm not sure I'd agree with that. Yeah, it's still a big deal though.

Sometimes Windows users, they need an excuse to feel smug compared to those Apple-using polo-neck-wearing.

Hey, I'm glad they exist. They keep the whole market a bit more heterogeneous.

Yeah, well, long word, Carole, for a Wednesday morning.

Well, glad I impressed.

Let's describe exactly what has happened. A Turkish developer, his name is Lemi, or can't be Lemi from Motörhead, surely.

Lemi or Liman Ergin, he found a colossal security hole in the latest shipping version of macOS, also known as High Sierra 10.13.

What it means is that anyone can log in to a Mac computer and have access to admin rights.

So they're logging in with basically godlike admin rights to the computer without a password. You can just type in your username as root, hit enter a few times, and you get in.

Whoa, whoa, whoa though, Graham. I'm under the impression that the root account is actually disabled by default on a Mac.

So surely this is only going to impact those that have enabled their root account.

Ah, well, yes, you're right.

The root account is disabled, but it appears that this vulnerability means that if you type in your username as root, it kind of re-enables the root account, which by default has no password.

And so you get in. It's absolutely—

Whoa! Yeah. This is much bigger than I thought.

Right. So, I mean, it's extraordinary. And this isn't the first kind of snafu which Apple has had regarding logging in and passwords, etc.

Just a couple of months ago, there was a security hole which would display users' actual passwords if you clicked on the "Give me the password hint" button.

Yeah.

So rather than the hint, it would display the actual password.

Yeah.

So Apple keep on goofing up. So how could this be exploited? Well, imagine this.

Imagine you're working in an office, you're lucky enough to have Apple Macs, and you go away for lunch for your lovely tuna sandwich and someone comes by your desk, maybe your arch rival in the office.

Everyone has an arch rival, don't they? A nemesis.

I get on with everybody.

Okay. Lucky you. Anyway, so someone comes along and thinks, oh, I'll just log into Graham's computer.

And even if I've locked the computer, they can say, actually, I want to log in as root. Dink, dink, dink, dink, dink. And in they go.

And they've got the rights to do whatever they like. They can change passwords. They can install malware to spy upon you. Any kind of mischief.

Yeah. They become a god of your computer effectively, if they can get into the root.

Right. Now, at first, when I heard about this, I thought, well, at least you have to have physical access to the computer, but it turns out that that isn't the case.

Some researchers have already discovered that it is possible. There are scenarios where it is possible to exploit this flaw remotely.

So if, for instance, you've set up your Apple Mac to allow access via VNC or Apple Remote Desktop, people can do this as well.

Furthermore, if you've ever been irritated, you know, when you go into System Preferences and you change some settings on your Mac and it says, oh, you're gonna have to enter an admin username and password and you're like, oh, what's the admin username and password?

Well, worry no longer because all you have to do is type in root as your username and click OK and off you go.

So people are able to basically elevate their permissions on the computer and cause all kinds of mayhem.

So the advice here is not for people to disable their root, but it's to add a password to their existing, maybe never used root account so that if someone tries to infiltrate their computer, they will need to know the password to get in via that account, that root account.

Most Mac users will never ever have any reason to use the root account, okay? They've set up their own admin accounts, or maybe their IT team are using admin accounts instead.

So what you should do is you should change your root password, and you could make it completely and utterly random.

Well, add and create one because most people will not have a password there.

So change it from the default, which is how it ships, and that way people won't be able to gain access to your Mac.

And we will put in a link in the show notes where you can go to the Apple support knowledge base article where they tell you how to change the root password.

And the other thing is, of course, Apple is working on a fix. I would imagine that they're going to push it out quite quickly.

And when you see that popping up on your screen, update your Macs because this obviously isn't good enough.

Everybody with a Mac should do this. And there's some really good instructions that we'll give you. So it's really step-by-step. I've done them and, you know, it took me 30 seconds.

Cool. But the bigger story here, though, maybe is, I mean, this is very embarrassing, but what does this say about Apple's quality control?

Oh, stop it. Apple, I think Apple's quality control is pretty darn high. And I don't know, maybe I've been drinking the Kool-Aid too long.

But at the moment, I'm feeling assured that this has not yet been exploited in the wild.

And I'm hoping Apple are going to fix this at double quick time and that everything is going to go back to normal.

Well, you say that, Carole, but fascinatingly, if you go to the Apple Developer Forums, there were people who were asking questions a couple of weeks ago saying, "Oh, I'm having a problem doing this on my Mac." And there were people saying, "Oh, there's a way of getting around that.

All you have to do is type in a username of root and not enter any passwords." So this has been knowledge to some people for a few weeks and they have been using it maybe for good.

Who knows if it's been done for bad as well? Hard to say.

But I do wonder whether if control freak Steve Jobs was still in charge, whether, you know, he would be ripping people to shreds about a bug like this. Yes, wouldn't he?

I doubt he'd be terribly calm and pouring people a nice cup of tea and say, "Oh, these sort of things happen to anybody." Yeah, well, you know, RIP. Well, obviously.

Although I said at the beginning, you know, Windows users can feel smug, I think every company needs to be a little bit careful about bugs like this.

They can creep in all too easily if you're not doing thorough enough quality control, then bugs can appear in your software just like they have in macOS.

So our advice, change your root password, and when Apple push out a patch, apply that patch as soon as you can.

Yes. And Apple, get it out double quick time. This is a biggie.

And we'll be back sooner than you can imagine with a regular episode with all of the goodies, including— we've got no pick of the weeks this week, have we?

Was that a cat meowing in your background?

Yes, it's breakfast time.

See ya.

So I better go. Bye.

Bye.