most of the users will never login as `KdParker` - let's disable that one as well.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
most of the users will never login as `KdParker` - let's disable that one as well.
This would have been a very different story on Android. The majority of Android devices are still vulnerable to KRACK let alone any other issue that will never get fixed (except on Nexus devices).
Given how easy to exploit this bug is, it sure needed to be...
Until now, I didn't even know MacOS has a restartless mechanism for quick security updates. Clearly Apple anticipated a fix like this being necessary in advance
Beta won't be fixed until the next beta release. Same thing happened with the FileVault password becoming hint issue in High Sierra's 10.13.0 release.
Now that I think about it, geez Apple, security please.
Not necessarily a good thing when it come to security patches!
You certainly want to get the fix out - especially when it's been released to the public and so many people are aware of the vulnerability - but it's more important to get the fix right. I wonder how many bugs and/or vulnerabilities are the result of rushed patches to other bugs/vulnerabilities.
Did you read about the bug? Its not some kind of easy thing to discover and would easily be passed over by pretty much all testing attempts.
This is why not only did it take until now to discover, but also why companies pay bounties for hackers to find these kinds of things.
While both sides have merit, it's unrealistic to think some bugs could be fixed as quickly as this one was, which is why there is criticism of the "zero day reporting" method.
He means the TV advertisements. They jab at perceived weaknesses or flaws in Apple products. The current one getting heavy airplay shows a guy opening and using various iPhones over the years, then after he buys a Galaxy towards the end, he passes another guy waiting in line for the iPhone X who has his hair cut like the notch in the top of the iPhone X display. It's actually pretty funny - you see the picture of the phone in the background and it looks just like the guy's forehead.
It wasnt set to blank. There was an error in validating the password, and then it set your password to nothing.
N.b. this wasn't just about root. You could log in as any of the faceless user accounts. Someone should try these others too, if you've enabled the Guest user account. I'll bet if they're disabling the root account entirely, they didn't fix the whole bug.
https://twitter.com/unsynchronized/status/935656609140711426
https://twitter.com/unsynchronized/status/935656609140711426
Last edited:
I think the bug was reported two weeks ago: https://forums.developer.apple.com/thread/79235#277225
So Apple had enough time (over Thanksgiving) to solve the vulnerability. It became public as late as yesterday. I'm curious whether the problem persisted/persits with the current macOS beta.
So Apple had enough time (over Thanksgiving) to solve the vulnerability. It became public as late as yesterday. I'm curious whether the problem persisted/persits with the current macOS beta.
True, sometimes it's necessary to go public so they'd have no choice but to patch it immediately. But I would still give Apple a couple weeks on something like this, unless there is any sort of evidence that it's already being exploited maliciously.
Android is a mobile operating system and you are also forgetting the fact that Google supports it's own devices for at least as long as Apple does.
Google fixes all of it's security issues, but most hardware producers don't fix their Android software as soon as the phone is off the market.
Let's face it. Every operating system or application will come across vulnerabilities, but it doesn't truly matter how bad or embarrassing they are (like this one was).
The real test of a quality company is how fast they can provide the update/patch to fix the security issues.
This was a big miss on the "QA front end" for Apple, but it was an excellent timely response to an urgent issue.
The real test of a quality company is how fast they can provide the update/patch to fix the security issues.
This was a big miss on the "QA front end" for Apple, but it was an excellent timely response to an urgent issue.
It's been in there for a few years now, IIRC.Until now, I didn't even know MacOS has a restartless mechanism for quick security updates. Clearly Apple anticipated a fix like this being necessary in advance
It boggles the mind that everyone seems to forget that Jonny Ive was put in charge of software after they canned Forestall on trumped up nonsense, only recently was Ive finally replaced by Craig.
All the garbage software Apple has released for the past 5 years is Ive's fault, he doesn't know software and he's no manager by a long shot.
I'm officially done upgrading all Apple software until they're a few bug releases past the launch. Between all the bug in iOS 11, and now High Sierra, if I updated immediately I'd lose my ability to work in my day-to-day programs like the Adobe Creative Suite. They have dropped the ball on QA testing if random users can find these bugs and cracks so quickly.
I respectfully disagree. Lemi could have very easily given Apple 24 hours notice to fix or go public. By not doing so, they left a lot of computers vulnerable.
I'm not terribly surprised the fix came so fast. 1: It needed to. OS X has always touted itself as being secure, and whatever bugs have been there in previous releases they aren't usually ones that compromise the system like this. 2: How was this bug in there in the first place? Probably something SUPER SIMPLE to fix, a single line of code that was in there for testing or something that they just forgot to take out. It makes it an even more colossal blunder that it was pushed out like that.
Given how easy to exploit this bug is, it sure needed to be...
Until now, I didn't even know MacOS has a restartless mechanism for quick security updates. Clearly Apple anticipated a fix like this being necessary in advance
If you perform software updates via the command line in Terminal, you don't even need to restart for macOS point updates (though they say that you should). Everything seamlessly updates while you are working with no disruption to the user.
Three... count 'em... THREE... critical and ridiculous security issues with Mac OS High Sierra within as many months. This one, the Disk utility one, and the keychain one. And that's just the security issues...
There's no excuse for it. Saying "well, microsoft is just as bad" just means that Apple is stooping to Microsoft's level... but I'd actually venture to say that Apple is starting to get worse than Microsoft when it comes to Mac OS vs Windows.
Would this have been a fixable issue for the semi-savvi to just open a console window and type "sudo passwd root"... and then setting a password that isn't blank?