It was "reported" about a month ago on Apple's support forum. So it does seem likely some people out there were aware of it before Apple became aware.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
It was "reported" about a month ago on Apple's support forum. So it does seem likely some people out there were aware of it before Apple became aware.
Too bad the guy who found the bug had to go public with it right away. I'm sure Apple would have fixed it quickly either way, but now the secret is out and all the updated machines will be vulnerable. Lots of people don't do regular updates.
Really? You are 'what about' arguing this already? This isn't some complex, hard to find, hard to implement or questionable security hole.
No, it wasn't. The bug got posted on the Apple forums two weeks ago already, as you can read here:
https://forums.developer.apple.com/thread/79235 (browse to november 13th, a post from chethan177). Maybe the issue got posted somewhere else before as well.
Unfortunately the Apple devs don't read those forums. And appearantly no one at Apple is reading those forums. Maybe this will change as having the bug fixed two weeks ago would have prevented a lot of damage / loss of goodwill.
Maybe reread the announcements. You seem confused on the basic details.
Effects 10.13.1 specifically.
The fix does not put in a password.
[doublepost=1511985506][/doublepost]
If you have screen sharing or remote management enabled...
This problem was so extraordinary stupid that hackers didn’t look for it, and that serious developers saw it as a way that could help them solving people’s problems. It’s like leaving your keys in the front door, and the postman is happy that he can put your packages indoors when you’re not at home - since he is an honest person, it doesn’t even occur to him that you could be robbed.
That’s what you say with hindsight. It’s a great idea after the fact. Nobody had this great idea before it happened.
It seems to be working fine for me, tested it on both a dedicated Windows PC and another Mac running Windows.
Seriously, your complaining that they fixed a major vulnerability too quickly? Had it taken an extra day or two, I’m sure you would complain about that as well. I imagine Apple can do no right in your eyes.
So you need physical access and a login password to activate this bug........ummmm. Not a problem in this household.
I patched the vulnerability manually a few minutes after the news broke. Permanent fix showed up the next day. Issue resolved for good. Quick and painless (no reboot required). Good work Apple.
And now back to our regularly scheduled trolls whining about this even though the real world has moved on.
And now back to our regularly scheduled trolls whining about this even though the real world has moved on.
It'll work if you've enabled the less secure password option, but doesn't work otherwise.
Why does a mobile OS make it okay to have major security flaws? There’s a large chunk of the population who’s only “computer” is their phone.
Also, Google only guarantees support for their Pixel line for 3 years - 2 years of feature updates and another year of security updates. Currently, Apple still supports the iPhone 5S, which is 4 years old - and it’ll probably get iOS 12 next years as Apple typically supports their phones for 5 years.
This mistake is more on the end of people who gave everything final approval, not on the one guy who happened to write those particular lines. (Also, bugs don't get found by someone "remembering" them.) These two problems are BIG, they aren't something a company should shrug their shoulders about and say "now we know better for next time". These are two black eyes on Apple's security reputation.
Apparently the bug is a bit more complicated than it looks. According to this preliminary analysis:
https://objective-see.com/blog/blog_0x24.html
it seems MacOS first tries to update the root account to a shadow password, but erroneously sets the user-supplied password (blank or otherwise) without proper verification. After that, you can log in with the supplied password. This explains why you have to click "unlock" twice (first the account is updated and activated, the second click actually logs you in), and why it works not just with a blank but with any password.
Indeed. It's so spectacularly unlikely you'd never think to test it, manually or automatically.
I'm glad this was addressed so quickly for those running HS, but is something that should not have happened, along with some other problems I read about in HS. They have been getting very sloppy. I haven't upgraded to High Sierra yet because of my lack of faith in current apple, for reasons like this, when I used to upgrade much sooner.
I hope what they said about auditing and reflecting more are sincere as I really feel they need some serious introspection in the whole company and not just MacOS development.
I hope what they said about auditing and reflecting more are sincere as I really feel they need some serious introspection in the whole company and not just MacOS development.
