Some people need to loose something over the total loss of quality around Apple OS products. I have been a Mac user for 16 years now and a iPhone/iPad user since the 3G in 2008, the 2017 OS releases have the worst quality that any Apple OS's have ever had. Someone must be held to account and change must be had. If things (or jobs) need to taken away so be it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
When was the last time Microsoft or any Linux distro patched a bug in under 24 hours? Microsoft takes at least a week minimum for zero-day exploits.
Sorry but this is ridiculous. When it comes to "security flaw", it's hard to imagine anything worse than what was just seen with High Sierra. It's not even an exploit that required code research . It's literally entering "root" as the user and having total control of the machine. But that's fine because... Windows?
This is just sloppy sloppy sloppy sloppy. Beyond sloppy. We were all making fun of Samsung for the battery disaster, but this is much much much more worse. There are no code reviews at Apple??? There are no unit tests and no regression tests? There is no security harness? This stuff makes me super angry. Who knows how many machines were compromised already...
Wondering if they'll be including an official fix for it in the next release be it beta/dev of 10.13.2, since some of us are already on it.
As a enterprise level systems engineer with over 3 decades of experience I must say that you have captured the issue here perfectly. Let's take a moment for this to sink in. At the same time, The OS team at Apple has one product that is in production that allows for people to log in as the Root user with a password set to be blank and another OS, that is undergoing beta testing, that breaks the phone function on a phone OS and has for the past 3 builds. Word is that they intend to release that OS within days and no one is clear if the bug affecting the phone app will be fixed or not. It is clear that the QC functions of the Apple OS dev teams are totally broken. When severity level 1 bugs like this are making it into the hands of customers and developers, your QC process is no longer working. I hope that Tim Cook is personally involved and taking meetings about what is going to be done about fixing this right now. That's what a CEO is for. To respond to issues that are of the most serious nature. I can't imagine one that is more serious than this.
Last edited:
Please don't be silly , seriously, there is no such thing as 100% bug-free software..... that is why we have priorities / serverity, lowest level bugs are just not with the effort or business value to resolve ....
What you are dealing with here is highest priority critical bug....
Do you understand how bad this is ? Macs with guest accounts .... and there are so many instances where these are used on companies , schools, institutions etc.... can gain root access ? You understood the severity right ?
Sorry , anyone playing this down, or viewing this as an acceptable "bug" does not understand that the issue here is.
While so many of the apologists are too busy Missing the point, thankfully Apple is not and has issues the patch....
You also ignored my question in relation to software development. I assume you were not a software engineer ? If you were please answer my question , otherwise please don't speak for us and the silly notion of 100% bug free software development ...
Just checked on my cheese grater Mac Pro running 10.13.2 beta 5 public (updated yesterday) and was able to login from the opening screen after booting using root and blank password!!!! I used to only have my icon to click for login but there was also one for 'other' which I used to enter root.
No sign of the security update in the App Store
and can't seem to get rid of the 'other' login icon. (It doesn't show on my MacBook running beta 4 public)
My computer is wide open - need to keep my office locked
Is this Karma for me trying out a Surface Studio in a store earlier today? (nice machine but prices similar to top end iMac or the forthcoming iMacPro)
ps I was able to go to the user documents folder for my legitimate login and read the files so I did have root privileges.
No sign of the security update in the App Store
and can't seem to get rid of the 'other' login icon. (It doesn't show on my MacBook running beta 4 public)
My computer is wide open - need to keep my office locked
Is this Karma for me trying out a Surface Studio in a store earlier today? (nice machine but prices similar to top end iMac or the forthcoming iMacPro)
ps I was able to go to the user documents folder for my legitimate login and read the files so I did have root privileges.
I wouldn't just blindly believe macOS is more secure than Windows. Here were the number of vulnerabilities on all operating systems in 2016:
https://www.lifehacker.com.au/2017/01/which-software-had-the-most-vulnerabilities-in-2016/
Apple OS X had a considerable amount of vulnerabilities, comparable to Windows. I'm not going to say Apple's OS had more vulnerabilities because the article states the following:
"It's worth noting the CVE Details list itself doesn't breakdown the severity of the vulnerabilities, it simply aggregates them. The list also doesn't differentiate between different versions of some of the software; for example, vulnerabilities for various versions of Mac OSX are lumped together. The same thing goes for Android."
This is just one of the many articles talking about vulnarabilities betweens OS's. 2017 is not over yet so there's nothing to compare with right now (AFAIK).
It is just poor to think Microsoft's security is not on par with Apple's. Apple has done a great marketing campaign about a decade ago saying how Macs were so secure compared to Windows PCs (Vista at the time). A lot has changed between then and now but I think that notion just stuck with people.
That being said, I still prefer Macs to Windows PCs and will continue to use my Mac. I know you directly didn't say Windows is less secure and this isn't just to attack you, but I've been reading way too many comments in this thread downplaying Microsoft/Windows when theres no need.
In terms of patching major vulnerabilities faster, I'll tip my hat to Apple for that.
Just checked on my cheese grater Mac Pro running 10.13.2 beta 5 public (updated yesterday) and was able to login from the opening screen after booting using root and blank password!!!! I used to only have my icon to click for login but there was also one for 'other' which I used to enter root.
No sign of the security update in the App Store
and can't seem to get rid of the 'other' login icon. (It doesn't show on my MacBook running beta 4 public)
My computer is wide open - need to keep my office locked
Is this Karma for me trying out a Surface Studio in a store earlier today? (nice machine but prices similar to top end iMac or the forthcoming iMacPro)
ps I was able to go to the user documents folder for my legitimate login and read the files so I did have root privileges.
Yeah, same here, updated to beta 5 today. Security whole still wide open. Kinda lousy.
Let's dispel this notion I keep seeing right away. The fact is that Microsoft has NEVER had a bug of this severity level make it to the public. So we have no way of knowing how fast they would be able to patch it. But the tip of the hat to Apple is warranted.
Unless it's your ambition in life to be able to run "rm -r /" with impunity
"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Glad to hear you're still using the term "Mac user", Apple. While you're at it, mind fixing your "Pro" portable lineup?
Glad to hear you're still using the term "Mac user", Apple. While you're at it, mind fixing your "Pro" portable lineup?
Every business can cancel the holiday of a specific team if necessary. That’s common practice.
Well, it was unknown until last night. If it wasn’t a news and Apple shipped the update without further notice nobody would have complained. The issue was “public” for less than 20 hours. So Apple reacted the right way and patched the serious zero-day exploit.
Basically that was a workaround. And it wasn’t an issue until 24 hours ago. Is it a big issue? Of course.
Last edited:
From the Apple release notes:
"A logic error existed in the validation of credentials. This was addressed with improved credential validation."
Translation: checking credentials for root access no longer, in and of itself, enables root access
Frankly, I can't say that I've never written code that broke something, that wasn't expected and therefore not promptly tested. Not an excuse for Apple, just sayin'. But I'm a glass-half-full kind of guy, and appreciate their quick response.
"A logic error existed in the validation of credentials. This was addressed with improved credential validation."
Translation: checking credentials for root access no longer, in and of itself, enables root access
Frankly, I can't say that I've never written code that broke something, that wasn't expected and therefore not promptly tested. Not an excuse for Apple, just sayin'. But I'm a glass-half-full kind of guy, and appreciate their quick response.
The problem is not being bug-free or not bug-free. The problem is that its an extremely glaring and obvious hole that should have been caught by automatic tests! Checks whether the root user is automatically enabled are the most obvious thing to test for. What this situation shows is that software development policies at Apple are completely and utterly mismanaged. It would be a different thing if we'd have a more obscure bug that occurs on an intersection of several non-trivial features, but its permission for the root user of all things!
Not to mention that its most likely not a bug in the first place. Probably some dev at Apple whitelisting root access for testing purposes and forgetting to reset it after they were done...
Unless it's your ambition in life to be able to run "rm -r /" with impunity
I did it on a server, many moons ago. Used -fr too, so any chance of being saved from myself was gone. By the time I realized and hit CTRL + C, /bin was gone. Good times.
(fortunately it was only a test server and I did not get fired)
[doublepost=1511993316][/doublepost]
From the Apple release notes:
"A logic error existed in the validation of credentials. This was addressed with improved credential validation."
Translation: checking credentials for root access no longer, in and of itself, enables root access
Frankly, I can't say that I've never written code that broke something, that wasn't expected and therefore not promptly tested. Not an excuse for Apple, just sayin'. But I'm a glass-half-full kind of guy, and appreciate their quick response.
A sane approach. Really nothing to be gained from frothing at the mouth over this.
Now Finder crashes when I just click on one particular file. Maybe not related but seems odd, never had that happen before.
People make mistakes. I guess we can rest that all of you negative posters are perfect and your coding skills are simply unparalleled and you never have made an error. All you need to apply for jobs at Apple so in the next 30-60 days apple doesn't file for bankruptcy.
Yep. File sharing is failing. After several troubleshooting steps it's now clear that File Sharing is not accepting any credentials to connect to network machine (both running 10.13.1 after Security Update 001). Screen Sharing, on the other hand, works flawlessly!
Except if Apple was unable to fix it so quickly and/or easily it would have been freely available for any malicious actor to exploit. Terrible justification.
[doublepost=1511993910][/doublepost]
Somebody talking sense at last. Of course we’re all perfect developers who never make a mistake. Point is, Apple took this seriously and did something about it.
I thought I was going crazy! It works fine back to a machine running 10.12.6.
MacPro6,1 10.13.1 with update to MacBookPro14,3 10.13.1 with update is failing without cause. I've tried as Guest, Registered User, and with Apple ID.
Seriously Apple!
Except that Apple has a tendency to cast stones at windows, Oh and the security flaw was apparently disclosed In a public forum 2 weeks ago so I would not call this particularly quick...