Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
The sooner everyone STOPS downloading the new versions - the sooner Apple will notice that folks are tired of beta testing and buggy software.
But in this day and age in the western world, people have nothing better to do than download the latest greatest in between work and reality tv.
This isn't really the users' fault. I'm still running Sierra, and the last reminder Apple spammed me with asking me to update to High Sierra had two options: Update, and Tell me More (which turned out to link to Apple.com). There was no way to even remove the reminder without either updating, or clicking on the Apple.com link.
No - this appears to be constrained to High Sierra. Anecdotally, I can say that my co-worker's Sierra 10.12 install does not have this vulnerability.
Scared?
Robert Downey (not credited as Jr) in Weird Science
Scene: Trying to make a Lisa with bigger um you get the idea (funny Lisa is an Apple computer).
BUT you forgot you're on an Active Directory domain machine!
If you're on the internal network, any admin that logs onto a Win Server can access the IP of your MBP (domain joined) and try this. They can affectively change permissions remotely can they not? This is regardless of folders being shared in system preferences.
This may occur as well if you're connected to corporate network via VPN too - if you're VPN IP shows as internal IP after say 15mins or if updated immediately. Welcome to our control.
Wonder if anyone at apple cares enough about this issue to do something about it or are they all on their Thanksgiving break still and couldn't give a s***?
What a sloppy, messy joke their software is becoming.
Simply too rich,fat, and lazy to care I guess.
What a sloppy, messy joke their software is becoming.
Simply too rich,fat, and lazy to care I guess.
that's what I was reading as well. you have to have access to the computer to set up the user. you can't just walk up to a random computer on high sierra and type "root" as the user name and get in
Not only physical access but network access as well. I was able to perform the exploit on a remote computer using ARD.
root? Lawd, I can hear the Unix sys admins I used to work with now... I have to forward this to my Security instructor. More importantly, I need to tell my friends who have Macs that DON’T frequent these forums.
Fortunately, I’m still on Sierra, but coincidentally was just having conversations earlier this evening with a friend who wanted to buy a MacBook Pro for the first time. He was asking my opinion and experience. I’m over here singing praises over the phone all while THIS is going on. Wow, let me go back and tell him to make sure whatever he decides to buy is NOT on High Sierra.
As crazy as this is to read, it’s sadly not surprising (outside of it being Apple where this happened!). Testing always gets shafted when software development projects get under the gun - if that phase is even given enough time to begin with. It’s becoming more and more common, but Apple really should know better. This is basic security and absolutely unacceptable. Apple should probably investigate this looking for malicious intent - it’s so basic and it clearly didn’t exist before. Just unbelievable.
I expect more to come out of this besides heads rolling. Just wow.
Hats off to the devs who found this and are spreading the word on fixes until Apple resolves this.
Fortunately, I’m still on Sierra, but coincidentally was just having conversations earlier this evening with a friend who wanted to buy a MacBook Pro for the first time. He was asking my opinion and experience. I’m over here singing praises over the phone all while THIS is going on. Wow, let me go back and tell him to make sure whatever he decides to buy is NOT on High Sierra.
As crazy as this is to read, it’s sadly not surprising (outside of it being Apple where this happened!). Testing always gets shafted when software development projects get under the gun - if that phase is even given enough time to begin with. It’s becoming more and more common, but Apple really should know better. This is basic security and absolutely unacceptable. Apple should probably investigate this looking for malicious intent - it’s so basic and it clearly didn’t exist before. Just unbelievable.
I expect more to come out of this besides heads rolling. Just wow.
Hats off to the devs who found this and are spreading the word on fixes until Apple resolves this.
Read the news item. Fixed the bug per Apple's instructions. All good. Move along peeps.
Last edited:
No, this particular bug is unique to High Sierra. Root escalation exploits on the other hand have been available on every version, until found and patched.
then if you once again enter root with no password it lets you in, in my beta 2 anyways.
Unfortunately we'll not see heads roll ... too costly with stock options and such. It's like a union at the executive level. To be quite honest anyone with a PHD in Software or leads under and including Federighi should be checking security such as root on EVERY Alpha/Beta version of OSX / iOS prior to beta developer release and public releases.
Somebody should get a hurt, real bad!
A high level security issue like this is fixed by Apple releasing a fix it support page for MANUAL action by the end user to resolve?! Seriously you call THIS FIXED?!
This should be an immediate patch sent out by Apple ... THAT is a fix. If this was Microsoft on Windows (take your pick on ANY version) .... man Bloomberg and everyone else would be pointing fingers dissing and saying this/that.
Apple should NOT get any sort of pass on this, as your post sort of implies, imho. I believe somewhere in the software acceptance page the OS belongs to Apple and it's their responsibility, no?
PS: I don't own a Mac and haven't for 6mths. I will in another 4mths.
There is, always has been, and probably always will be methods to bypass local security on Windows.
https://www.myce.com/news/old-looph...and-reset-the-windows-10-user-password-78066/
This isn’t even the only way. Once again, there is no local security on Windows. If you have physical access you can get Admin access. This won’t be fixed.
Apparently, it's called "High Sierra" because they were all high when they coded it.
I am root.
Apple quick ****ing up/end_rant
[doublepost=1511935813][/doublepost]
[doublepost=1511936108][/doublepost]
EXACTLY!!!
Quit making "innovation" for the sake of being different and make the products work. Added a touch bar with fingerprint scanner but forgot to take out Root level access by typing in Root on the administer lock screen. Just sloppy work. People need to be fired or stripped down to their underwear and throw tomatoes at them in middle of their spaceship office.
I don't want my phone to freeze and have to restart constantly (cought cought IOS 11), and I don't want my laptop to have such security lapses its ridiculous.
Apple quick ****ing up/end_rant
[doublepost=1511935813][/doublepost]
Spreading themselves too thin and I've heard can't retain talent? Not sure about the second one.
[doublepost=1511936108][/doublepost]
EXACTLY!!!
Quit making "innovation" for the sake of being different and make the products work. Added a touch bar with fingerprint scanner but forgot to take out Root level access by typing in Root on the administer lock screen. Just sloppy work. People need to be fired or stripped down to their underwear and throw tomatoes at them in middle of their spaceship office.
I don't want my phone to freeze and have to restart constantly (cought cought IOS 11), and I don't want my laptop to have such security lapses its ridiculous.
Last edited:
Hmm.. Awfully high impact, terrible trust-losing bug, but seems like a harsh call against one individual. **** happens occasionally.
Thanks. I currently run Sierra on an early 2016 MacBook Pro. Recently offered upgrade to High Sierra. Another reason not to I guess...