Well they can certainly make it not so limiting for some people, but they would likely have to get used to a walled garden approach.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Well they can certainly make it not so limiting for some people, but they would likely have to get used to a walled garden approach.
That's the problem, we have become permissive and indulgent as a society. Don't blame the leaders, we deserve what we got.
I so love using iOS6 and OS X 10.6. Just feel right. What should be possible is Apple is not allowed to release new OSes until the current ones get 14 point updates.
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:
o Click on System Preferences.
o Click on App Store.
o Click on the padlock icon to lock it if necessary.
o Click on the padlock icon again.
o Enter your username and any password.
o Click Unlock.
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password.
We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
MacRumors is also unable to reproduce the issue on macOS Sierra version 10.12.6, suggesting the issue affects macOS High Sierra only.
The security vulnerability means that anyone with administrator-level access to your Mac could unlock the App Store preferences and enable or disable settings to automatically install macOS updates, app updates, system data files, and, ironically, even security updates that would fix a bug like this one.
This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.
Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," so this doesn't look great.Apple will likely want to fix this latest security vulnerability as quickly as possible, so it's possible we'll see a similar supplemental update released, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.
In the meantime, we can't think of an obvious workaround for this issue, so if you keep your App Store preferences behind lock, you'll want to keep a close eye on your Mac until further notice. If we learn of a solution, we'll share it.
Update: As pointed out by some of our readers, it's worth noting that the App Store preferences are unlocked by default on administrator accounts. While the seriousness of this bug is debatable, being able to bypass a Mac's password prompt with any password is obviously unacceptable.
Article Link: macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password
It's true that Apple has been sucking in terms of security/qa in macOS lately. But there's no indication that this wouldn't happen if the system was based on iOS.
iOS has had its share of lock screen bypass flaws in the past.
I love Apple, but man, they’re getting sloppy.
Those pesky QA folks just keep saying "No". So Apple got rid of them. Apple's new strategy, release, release, release.
If only they put in as much effort into quality control as they do in sucking every penny out of their consumers. 900 billion dollar company... what a joke.
To be clear, if it's unlocked by default it means no credentials are necessary for access. I think the fact that it prompts is the bug here.
This is far less important than the other one.
This is the truth. Apple is so screwed up these days that one software group has no idea what the other group is doing. All preferences are all screwed up and they get changed with every release for no reason except, apparently, to make them more confusing.
Apple can't even get the trash can right. Put something in, then undo the move and the icon still shows non-empty. When Apple can't even get the simple stuff right, how do they expect us to believe they can get something right like iCould messaging, or security?
It's not a bug, it's a feature to increase App store revenue.
I'm sure the usual suspects on the forum are applauding Apple for this courageous move.
I'm sure the usual suspects on the forum are applauding Apple for this courageous move.
If access is available by default, authentication isn't necessary. Whether you pass that security check or not, you were already (and remain) authenticated.
The real questions is how many more issues won't be disclosed.
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps:
o Click on System Preferences.
o Click on App Store.
o Click on the padlock icon to lock it if necessary.
o Click on the padlock icon again.
o Enter your username and any password.
o Click Unlock.
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password.
We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
MacRumors is also unable to reproduce the issue on macOS Sierra version 10.12.6, suggesting the issue affects macOS High Sierra only.
The security vulnerability means that anyone with administrator-level access to your Mac could unlock the App Store preferences and enable or disable settings to automatically install macOS updates, app updates, system data files, and, ironically, even security updates that would fix a bug like this one.
This is the second password-related bug to affect macOS High Sierra in as many months, following a major security vulnerability that enabled access to the root superuser account with a blank password on macOS High Sierra version 10.13.1 that Apple fixed with a supplemental security update.
Following the root password vulnerability, Apple apologized in a statement and added that it was "auditing its development processes to help prevent this from happening again," so this doesn't look great.Apple will likely want to fix this latest security vulnerability as quickly as possible, so it's possible we'll see a similar supplemental update released, or perhaps it will fast track the release of macOS High Sierra version 10.13.3. Apple did not immediately respond to our request for comment on this matter.
In the meantime, we can't think of an obvious workaround for this issue, so if you keep your App Store preferences behind lock, you'll want to keep a close eye on your Mac until further notice. If we learn of a solution, we'll share it.
Update: It's worth noting that the App Store preferences are unlocked by default on administrator accounts. While the seriousness of unauthorized access to the App Store menu is debatable, the underlying bug allowing a password prompt to be bypassed with any password is obviously unacceptable.
Article Link: macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password
Tim Cook needs to go, he has been riding Steve Jobs iPhone succesful wave... That's it!
yes, because when another company had repeated security flaws and OS stability and performance problems back in the 90's, everybody was kind and considerate and never ran a negative ad campaign trying to convert people to their platform...
Are Apple fanbois that naive?
I feel similarly. Like really love Apple and want to be able to confidently say they are the best and I still feel that way and man this is very very rough to see.