Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability

AgentAnonymous said:
Lol are you kidding? Root having no password is something extremely easy to discover. You're clearly trying to talk about something you don't understand.
Click to expand...

Ok so no, you didn't read about it.

First off, you can't even replicate this in the default configuration unless a current user is logged in (the default configuration offers you no area to change the user name).

Second, it doesn't work on the first try, you have to keep clicking the password field repeatedly until it lets you in.

Third, if it was "so easy to find" it would have been found months ago in beta.

Maybe, just maybe I'm not the one talking about something I don't understand ;)
[doublepost=1512051418][/doublepost]
Feenician said:
What you're saying is simply unrealistic. You will not find every exploit in a complex operating system. They exist in IOS, they exist in macOS, they exist in Windows, they exist in Android, they exist in Linux. Firing everyone involved will simply result in less qualified people being in charge.
Click to expand...

You're completely right. Sadly most people in this thread have zero experience in software development and it shows. They don't understand that these kind of very odd bugs are why big tech companies pay bounties to hackers to find. Testing would easily skip over this bug because it requires a very specific configuration (having your user login style changed from the default, otherwise you can't type "root" into the login screen), and dumb luck (hammering the enter key repeatedly since it doesn't work on the first try).
 
citysnaps said:
Bugs are FINE? Nowhere did I tell someone that. That alone speaks volumes about the veracity of your posts. There are many more in your last post, as well.
Click to expand...

post #148 .

So what am I missing between post 51 and post 148, in which you consider someone's reaction to be knee-jerk for asking that apple tests their software "better" and making a very valid and cynical point point that and OS cannot be 100% bug free..... Kettle meet pot. Maybe you were the one having a knee-jerk reaction? Understanding development life cycle is irrelevant to the issue here.... you still keep ignoring the point about deadlines which is the real issue, so still in this debate.... you still consider people who react to this bug as knee-jerk? and should not be asking for better testing? Im intrigued? I and many others want apple to spend more time testing.......
 
AbSoluTc said:
You ever heard of Windows? Perhaps you should read up on that OS if you haven't.

Also, give me a break. Nobody finds everything, not even "Apple". Patched quickly and painlessly. Move along.
Click to expand...

I think we all heard of windows. I switched over to windows 10 and couldn't be happier. Windows 10 never actually gave admin ability without a password. Never. Has less bugs.Alot less. Actually Windows 10 is far superior to Mac on the hardware and software side.

The hardware is a running joke now. They are selling hardware with HD 5000 integrated GPUs and CPUs that were released in 2013. Let that sink in for a min. Its almost 2018.

IOS is actually getting worse. How many patches did they release already for IOS 11?

The Mac Pro has not been up dated in four years on the hardware side. The current imac was released in 2012. And they released a useless touchbar no one asked for.

Mac hardware and software is dying. Literally. This isn't simply some random harmless bug. This is a major security flaw. The worst Apple has ever done. This flaw would not happen at a small startup let alone a Billion dollar comp. Lack of accountability.

So yes, give me a break acting like its no big deal. My business if still running on Mac would be in jeapordy. Apple is dying slowly as before. I saw it then and the exact same thing is happening now.

This actual thread is amazing. I am seeing posts thanking Apple for fixing it so quickly? Saying testing would never find this? Saying Microsoft would take a long time? What! How about Microsoft wouldnt let this happen in the first place? Are people on here that naive? Brainwashed much?

Microsoft is the underdog, what Apple used to be. Their Surface lineup puts Apples to shame. Its embarrassing actually. My SB2 has zero problems, and is more powerful and useful than any macbook. Its sad really to see. I used to despise Microsoft and was just like most on here and believed Apple can do no wrong. Luckily i woke up. You should too.
 
Last edited:
Habakuk said:
SECOND Security Update!

Apple published another update some minutes ago.

My advice: Restart your machine after the update! Check the build number in "About this Mac" (click on 10.13.1). Is it 17B1003 (after the second update)? If not: Start your machine new. You'll encounter a "Setting up your Mac" routine when it starts (pretty unusual for a "normal" restart).

Here—MacBook Pro (15-inch, Late 2016)—it was 17B48! Only after the restart it was 17B1003!! I hope Apple didn't forget that after the update a restart is obligatory! After both updates a restart was not required by default. (Or it's just the build number which is flawed. Confused.)

Btw when you installed the first security update only the build number should be 17B1002.

Attachment (screenshot): Both updates in the "recent updates" list in Mac App Store (German-language).

Edit: A buddy told me that it isn't necessary to restart the machine for being able to see the most recent build number. BUT you have to close and open again the "About this Mac" window. I can't verify this right now. Please restart your machine anyway.
Click to expand...

I can confirm on 10.13.2 - latest beta this has not been fixed - no difference - still occurs.
 
gnasher729 said:
Discussed this at work. There’s zero chance that testing would find that kind of problem. This is a problem with the development process.
Click to expand...

You don't actually believe this do you? What about testing during the development process?
[doublepost=1512057554][/doublepost]
duervo said:
Still, this mistake by Apple is amateurish. Checking for lack of passwords for pre-installed admin level accounts like this (that are not a part of the first power-on setup sequence) is one of the first things that any test bucket should include, automated or no.

The fact that a company like Apple was not checking for this is completely facepalm-worthy.
Click to expand...

Best post of this thread. Winner winner chicken dinner!
[doublepost=1512058184][/doublepost]
tdar said:
As a enterprise level systems engineer with over 3 decades of experience I must say that you have captured the issue here perfectly. Let's take a moment for this to sink in. At the same time, The OS team at Apple has one product that is in production that allows for people to log in as the Root user with a password set to be blank and another OS, that is undergoing beta testing, that breaks the phone function on a phone OS and has for the past 3 builds. Word is that they intend to release that OS within days and no one is clear if the bug affecting the phone app will be fixed or not. It is clear that the QC functions of the Apple OS dev teams are totally broken. When severity level 1 bugs like this are making it into the hands of customers and developers, your QC process is no longer working. I hope that Tim Cook is personally involved and taking meetings about what is going to be done about fixing this right now. That's what a CEO is for. To respond to issues that are of the most serious nature. I can't imagine one that is more serious than this.
Click to expand...

Exactly. This is pure amateur sloppy work. My guess is that the people working and testing on the software side are inexperienced and shouldn't be in those positions. There should be protocols in place for every step of development.
 
Last edited:
Not only was that quick, I believe it was the first hands-off update I've ever seen on a Mac. I went to install it on my Mac mini server last night, and discovered it had already been downloaded and installed, without any intervention at all.

Screen Shot 2017-11-30 at 11.37.38.png


Apple wasn't kidding when they said it was going to be pushed out to all High Sierra machines.
 
iamthedudeman said:
I think we all heard of windows. I switched over to windows 10 and couldn't be happier. Windows 10 never actually gave admin ability without a password. Never. Has less bugs.Alot less. Actually Windows 10 is far superior to Mac on the hardware and software side.

The hardware is a running joke now. They are selling hardware with HD 5000 integrated GPUs and CPUs that were released in 2013. Let that sink in for a min. Its almost 2018.

IOS is actually getting worse. How many patches did they release already for IOS 11?

The Mac Pro has not been up dated in four years on the hardware side. The current imac was released in 2012. And they released a useless touchbar no one asked for.

Mac hardware and software is dying. Literally. This isn't simply some random harmless bug. This is a major security flaw. The worst Apple has ever done. This flaw would not happen at a small startup let alone a Billion dollar comp. Lack of accountability.

So yes, give me a break acting like its no big deal. My business if still running on Mac would be in jeapordy. Apple is dying slowly as before. I saw it then and the exact same thing is happening now.

This actual thread is amazing. I am seeing posts thanking Apple for fixing it so quickly? Saying testing would never find this? Saying Microsoft would take a long time? What! How about Microsoft wouldnt let this happen in the first place? Are people on here that naive? Brainwashed much?

Microsoft is the underdog, what Apple used to be. Their Surface lineup puts Apples to shame. Its embarrassing actually. My SB2 has zero problems, and is more powerful and useful than any macbook. Its sad really to see. I used to despise Microsoft and was just like most on here and believed Apple can do no wrong. Luckily i woke up. You should too.
Click to expand...

No thanks.

Both OS' are equally good, it's just whatever you prefer. I would put macOS/Apple ahead of Windows/MS any day for many reasons. One of those big reasons is the ecosystem and ability to work on any Apple device and seamlessly move over to another and so on. AirDrop, iCloud Drive, iCloud Photo Library, inclusion of an "Office" software package and other apps that work seamlessly and without issue. Windows interface is a mess. I don't care how you slice it, it makes NO common sense and the UI elements are all over the place. MS couldn't even keep their mobile OS alive.

Surface Book 2 eh? Well, you're one of the few who has no problems. SB hardware has been plagued with hardware and software problems from the get go. There's nothing you can do, that I can't do on my iPad Pro/MBP.

Pick what works for you.

I chose Apple for 90% of my stuff and have a gaming windows machine for my other 10% of things. I love Apple products and the system. I don't get that with Windows. You can but it's pretty clunky if at all available.
 
leman said:
The problem is not being bug-free or not bug-free. The problem is that its an extremely glaring and obvious hole that should have been caught by automatic tests! Checks whether the root user is automatically enabled are the most obvious thing to test for. What this situation shows is that software development policies at Apple are completely and utterly mismanaged. It would be a different thing if we'd have a more obscure bug that occurs on an intersection of several non-trivial features, but its permission for the root user of all things!

Not to mention that its most likely not a bug in the first place. Probably some dev at Apple whitelisting root access for testing purposes and forgetting to reset it after they were done...
Click to expand...

Spot on. I don't think it's a bug either .
 
 
MH01 said:
post #148 .

So what am I missing between post 51 and post 148, in which you consider someone's reaction to be knee-jerk for asking that apple tests their software "better" and making a very valid and cynical point point that and OS cannot be 100% bug free..... Kettle meet pot. Maybe you were the one having a knee-jerk reaction? Understanding development life cycle is irrelevant to the issue here.... you still keep ignoring the point about deadlines which is the real issue, so still in this debate.... you still consider people who react to this bug as knee-jerk? and should not be asking for better testing?
Im intrigued? I and many others want apple to spend more time testing.......
Click to expand...

Again, nowhere did I say bugs are FINE.

Keep digging...

And now you obfuscate with me ignoring the point about deadlines. What? Really? Yes, I know about deadlines, having been responsible for many tech-related projects being delivered over many years.

Your hole is getting deeper.

Have you communicated your “wants” to Apple? I imagine you have a good understanding of Apple’s OS test and QA programs/regimens and can make specific recommendations to help.
 
Last edited:
citysnaps said:
Again, nowhere did I say bugs are FINE.

Keep digging...

And now you obfuscate with me ignoring the point about deadlines. What? Really? Yes, I know about deadlines, having been responsible for many tech-related projects being delivered over many years.

Your hole is getting deeper.
Click to expand...

Not deadlines ..... quality .... It's quality that suffers...as a result of deadlines....you really have missed my point ..... tech related and software development is not the same ... that is clear ...

Have you ever delivered a software project .... don't worry , I can see you have not, though we have degenerated to cheap shots so....

Have a good day, We are done here.
 
MH01 said:
Not deadlines ..... quality .... It's quality that suffers...as a result of deadlines....you really have missed my point ..... tech related and software development is not the same ... that is clear ...

Have you ever delivered a software project .... don't worry , I can see you have not, though we have degenerated to cheap shots so....

Have a good day, We are done here.
Click to expand...

No, I haven't missed your point at all. And yes, I have delivered software projects. Certainly not an OS, but since you seem to know how Apple is lacking on OS test procedures, I suspect you have.

You seem to be going on about how you want Apple to spend more time testing, without specifying what "more" means, either in amount or the nature/substance. Just "more"... I asked if you have communicated your wants to Apple, with specific recommendations. Since you didn't answer, I'm guessing the answer is no. Well, there you go.
 
iamthedudeman said:
I think we all heard of windows. I switched over to windows 10 and couldn't be happier. Windows 10 never actually gave admin ability without a password. Never. Has less bugs.Alot less. Actually Windows 10 is far superior to Mac on the hardware and software side.
Click to expand...

It's really a good joke about Windows have less bugs. Please give regards to thouse 2,6 million people (2016-2017), who have their Windows machines locked with various ransomware, because Windows have less bugs. That's superiority for you!

iamthedudeman said:
The hardware is a running joke now. They are selling hardware with HD 5000 integrated GPUs and CPUs that were released in 2013. Let that sink in for a min. Its almost 2018.

The Mac Pro has not been up dated in four years on the hardware side. The current imac was released in 2012. And they released a useless touchbar no one asked for.
Click to expand...

So, when you are buying a new, 2017s Windows laptop with HD 5000 integrated GPU, the GPU it's somehow not from 2013 ? They demoed the new iMac, who will replace Mac Pro.


iamthedudeman said:
Mac hardware and software is dying. Literally. This isn't simply some random harmless bug. This is a major security flaw. The worst Apple has ever done. This flaw would not happen at a small startup let alone a Billion dollar comp. Lack of accountability.
Click to expand...

Just go to fireeye.com and take a look how many exploits were found today for Windows (245), versus Mac (0).


iamthedudeman said:
So yes, give me a break acting like its no big deal. My business if still running on Mac would be in jeapordy. Apple is dying slowly as before. I saw it then and the exact same thing is happening now.
Click to expand...

How can dying company be top 1 in the world and Google with Microsoft are loosing to a book store (amazon)?

iamthedudeman said:
Microsoft is the underdog, what Apple used to be. Their Surface lineup puts Apples to shame. Its embarrassing actually. My SB2 has zero problems, and is more powerful and useful than any macbook. Its sad really to see. I used to despise Microsoft and was just like most on here and believed Apple can do no wrong. Luckily i woke up. You should too.
Click to expand...

If you like Microsoft so much and wake up, why don't you go to work for Microsoft? Or like Microsoft forums and write some post, how Windows Phone is amazing. How Zune is the best player; How Internet Explorer don't get any virusus while browsing p0rn; How Surface laptops weren't returned to warehouses and sold out in shops. Also please wirte, how cool looking smartwatch you can buy from Microsoft. Or how cool is microsoft speaker with artificial intelegence?
 
iamthedudeman said:
Windows 10 never actually gave admin ability without a password. Never.
Click to expand...

Haha. The problem is that UAC has a whitelist hole that has existed since Windows 7 in the form of rundll32: https://arstechnica.com/information-technology/2009/02/the-curious-tale-of-windows-7s-uac/

The unfortunate reality is that Windows 10 still contains that hole. And the explanation given by Microsoft is that "Elevation is not a security boundary", and that it is meant to keep developers honest, not keep out malware. Which is weird, because on every other platform, elevation is a security boundary.

For your sake, I hope you have UAC set to always notify rather than the default.
 
chrono1081 said:
Ok so no, you didn't read about it.

First off, you can't even replicate this in the default configuration unless a current user is logged in (the default configuration offers you no area to change the user name).

Second, it doesn't work on the first try, you have to keep clicking the password field repeatedly until it lets you in.
Click to expand...
You don't find it scary that if you had Screen Sharing enabled, pretty much anyone on the same network was able to log into your machine remotely as root without you even noticing using no password and pressing enter twice? (yes, I tried this myself, and it worked on a machine where the root user had not been enabled before and I had not tried to use the exploit locally on that machine beforehand either – It just worked)
 
tkermit said:
You don't find it scary that if you had Screen Sharing enabled, pretty much anyone on the same network was able to log into your machine remotely as root without you even noticing using no password and pressing enter twice? (yes, I tried this myself, and it worked on a machine where the root user had not been enabled before and I had not tried to use the exploit locally on that machine beforehand either – It just worked)
Click to expand...

I tested that prior to patching. It did not work and could not possibly work since the root user was not enabled. I also tested SSH
 
dogslobber said:
Did you do it correctly? Just because you couldn’t do it proves nothing.
Click to expand...

I woiuldn’t say it if I didn’t believe I “did it correctly”. I disabled the root account, after testing locally but before setting a password (prior to the patch being issued that was the fix), and attempted several times to connect with ARD and SSH. Neither worked. For now, I’ll take my experience over a sketchy tweet.

One point though, I’m on the public betas. I hadn’t updated to the latest and the local exploit worked. Remote did not. I can’t say for sure that the then current public release did not act differently and I’m neither a liar, nor blind defender.
 
Feenician said:
I’ll take my experience over a sketchy tweet.
Click to expand...
It's not like the author doesn't know what he's talking about. I also managed to reproduce it 100% just a few minutes ago, on a clean install of 10.3.1. If you've held on to the install media, you might try it again (just make sure the patch isn't applied automatically beforehand). APFS makes it very easy to quickly add and afterwards delete another volume to a volume group for testing purposes. I literally only used the setup assistant to create a user, then disabled all automatic updates, connected to WiFi + enabled screen sharing with a click => instantly remotely exploitable by logging on with root/no pw + 2x enter from another Mac running macOS Sierra 10.12.6 on the same network
 
  • Like
Reactions: Feenician
tkermit said:
It's not like the author doesn't know what he's talking about. I also managed to reproduce it 100% just a few minutes ago, on a clean install of 10.3.1. If you've held on to the install media, you might try it again (just make sure the patch isn't applied automatically beforehand). APFS makes it very easy to quickly add and afterwards delete another volume to a volume group for testing purposes. I literally only used the setup assistant to create a user, then disabled all automatic updates, connected to WiFi + enabled screen sharing with a click => instantly remotely exploitable by logging on with root/no pw + 2x enter from another Mac running macOS Sierra 10.12.6 on the same network
Click to expand...

I’m not in a position to try at the moment. If that is true it certainly adds an extra level of threat. Not sure how many people have ARD or SSH enabled but it’s certainly > 0, and that’s too many. Brutal bug.

Edit: I’d LOVE to know what forum the oblivious guy on the Apple dev forum heard this on. He said he couldn’t remember. The nature of the forum would definitely provide guidance on the likelihood and volume of this being exploited.
 
  • Like
Reactions: tkermit
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back