Skip to comments.
Huge security flaw lets anyone log into a High Sierra Mac
Tech Crunch ^
| Nov 28 2017
| Kevin Coldewey
Posted on 11/28/2017 2:59:34 PM PST by grey_whiskers
click here to read article
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-80 ... 101-103 next last
To: mad_as_he$$
This has to be fake news. I am sure someone will be along shortly to wave their hands and tell you it is all just an illusion of old and out of date info. Unfortunately, it is not fake news. It does what it says it will. One DOES have to be in Admin to do it. . . and most people do not run in Admin mode if they are smart.
21
posted on
11/28/2017 5:56:43 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: AustinBill
Im running 10.13.1 and this bug doesnt seem to affect me. Perhaps it only affects certain models? In any event Apple should sort it out soon. Agree this is something that never should have gotten out the door. If you are running as a Standard User, it won't work. You have to start from running as an Admin. . . then it works. But, most people, likely like you, are running in Standard mode where it's safer to browse the Internet. A standard user cannot invoke ROOT.
22
posted on
11/28/2017 5:58:42 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: Swordmaker
This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.
Its an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.
Well, as long as they don't hire John Podesta...or the Awan brothers.
23
posted on
11/28/2017 6:06:48 PM PST
by
grey_whiskers
(The opinions are solely those of the author and are subject to change without notice.)
To: Swordmaker
>
This is a stupid oversight. Yes, its stupid, but its more than an oversight.
First, someone (presumably an engineer debugging something) disabled a security feature, but they failed to revert it when they were done, and they committed the change to the source repo. Well, thats bad. But sh*t happens, bad commits do happen. It was not terrible at this level it should have gotten caught and corrected at the next level.
Then at the next level, whoever was supposed to review commits missed it. Thats worse than the original mistake. The error became considerably worse because now its assumed to be okay.
Then the error was built into the release, and QA failed to test for it. This is egregious. QA shouldnt have to find this kind of error you cant test software until it works. But even so, this wasnt a difficult bug to exercise, if you have the resources of Apple. My God, theyve got hundreds of QA people, theyve got automated testing setups. But still, QA didnt find it.
More than an oversight. This was a systemic failure of the first order.
BTW, Ive done professional industrial strength software testing since the late 1970s, so I get to be a little righteous about this one. Im very disappointed in Apple and I expect them to fire a few people over this.
24
posted on
11/28/2017 6:22:16 PM PST
by
dayglored
("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
To: AustinBill
My Mac is from 2010. I downloaded High Sierra two weeks ago.
No issues...
25
posted on
11/28/2017 6:33:12 PM PST
by
Eric in the Ozarks
(Baseball players, gangsters and musicians are remembered. But journalists are forgotten.)
To: grey_whiskers
Stuff like this is why I never upgrade to the newest version of macOS has been out for at least a year.
26
posted on
11/28/2017 6:39:18 PM PST
by
TheStickman
(#MAGA all day every day!)
To: All
Apparently there is more to this problem than just allowing Root with no password. Root is enabled by default in the latest macOS High Sierra. That is a huge departure from previous macOS and OSX versions where it was always disabled by default.
Here is how to protect yourself against YOU or anyone exploiting this vulnerability. It is as simple as disabling the Root user.
- Log into your Mac as an Administrator
- Open System Preferences
- Select Users and Groups
- Unlock the pane by Clicking on the Padlock Icon and entering the Admin User Name and Password
- Click on Log in Options
- Click "Join" Network Account Server:
- Click on Open Directory Utility
- Unlock this pane by Clicking on the Padlock Icon and entering the Admin User Name and Password
- Under the Directory Utility Menu Bar, select Edit then click and release on Disable Root User
- Lock the Padlock Icon on the pane
- Close the Utility Directory pane window by clicking on the Red Dot
- Lock the Users & Groups Preference pane
- Close the Users & Groups Preference pane by clicking on the Red Dot.
Once you have done this, the Root User Abilities are closed down and have to be re-activated by repeating the above procedure and clicking on the drop down menu to ENABLE ROOT USER. . . and ADD a password.
27
posted on
11/28/2017 7:12:13 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
If you want to KEEP Root enabled and make it safe, follow the above proceedure, but use the drop down menu but select Change Root Password. . . and enter a good, complex password.
28
posted on
11/28/2017 7:16:53 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: dayglored; ctdonath2; grey_whiskers; reed13k; Responsibility2nd; CopperTop; PAR35; lgjhn23; ...
See the procedure to fix this problem above:
29
posted on
11/28/2017 7:23:50 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: grey_whiskers; dayglored; ctdonath2
So, after doing some digging, the problem is NOT that the code allows creation of root abilities without a password, but that the ROOT USER is ALREADY enabled with no password under the name ROOT or root. . . and was installed on all macOS 10.13.1 installs.
It's not a problem with the root creation but with the update install being left with a root user still active without a password!
DUMB, DUMBER, and DUMBEST!
Industrial Strength STUPID by someone who just did not look! And some idiot who forgot to DISABLE THE F'ING ACCOUNT in the Gold Master!!!!
Not to mention those in QA, as dayglored pointed out, who just did not notice when they went in and enabled their own ROOT ACCOUNTS that it was already enabled!
30
posted on
11/28/2017 7:32:16 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: Swordmaker
How the heck did they even let this happen? Users are stupid they will screw this up.
31
posted on
11/28/2017 7:34:29 PM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: Swordmaker
Actually post 8 pointed out quality review failure first 😁. This is like Microsoft 1990 dumb.
32
posted on
11/28/2017 7:38:55 PM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: dayglored; grey_whiskers
More than an oversight. This was a systemic failure of the first order. Oh, I agree. I think someone really screwed up. But who thinks about checking to see if a null password is acceptable when it was not OK before, especially in something as obscure as creating Root user ability? It's one of those things only 1 in ten thousand users ever do and then those only do it once. It is not something a user does repeatedly and it is not something one does on a Mac over and over again to test. It's actually a pain in the rear to undo so one can try again because once the root user is created, password is set and can only be changed.
As you can see above, I finally figured out what is REALLY going on with this "vulnerability." It's not a true coding error that allows the creation of a new root user without a password, it's that someone left their Root User account open with no password and it wound up in the Gold Master.
That's the only thing that meets the criteria of how this "vulnerability" works. . . and the "root" user is in the user list. This isn't "creating" a root user, it's only invoking an already existing root user.
33
posted on
11/28/2017 7:41:34 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: Swordmaker
Apparently there is more to this problem than just allowing Root with no password. Root is enabled by default in the latest macOS High Sierra. That is a huge departure from previous macOS and OSX versions where it was always disabled by default. Now that I've played with it for a while, the problem is not that root is enable by default. The problem is that attempting root several times (in my case two) allows root with the root password -- which is null by default. If root had been disabled, you will find it now enabled.
If you go back in disable root and attempt the root flaw again, it will re-enable root and let you in with whatever password you has set earlier, or null if not set.
To: Swordmaker
>
...it is not something one does on a Mac over and over again to test. It's actually a pain in the rear to undo so one can try again... As dayglored looks up quietly from his work and muses, "Now, if I were creating a backdoor that would slide through QA test, what characteristics would it have to have...?"
Just sayin'... If only 1/10th of 1% -- 1 in a thousand -- Muslims is a terrorist, that's 1,800,000 terrorists in the world.
So if you've got 123,000 employees (as Apple does, per Wikipedia), and only 1/10th of 1% -- 1 in a thousand -- is unscrupulous, in the pay of a competitor or foreign agency, that's 123 employees who might do something that egregious.
35
posted on
11/28/2017 7:58:32 PM PST
by
dayglored
("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
To: for-q-clinton
How the heck did they even let this happen? Users are stupid they will screw this up. I'd say it happened because invoking a ROOT USER is something only 1 in 10,000 Mac users ever do, and when they do it, they only need to do it once.
It is not something that is ever done repeatedly. Ergo, a Mac user who might need Root will go in to activate it and click on Enable Root, then they'd add a root user password and then hit the Enter button.
They most likely would never even notice that there was already an existing user with a blank password.
36
posted on
11/28/2017 8:06:03 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
To: IndispensableDestiny
Wow that is really bad. So the work around won’t fix this?
Better lock your Mac up until this is fixed.
37
posted on
11/28/2017 8:08:15 PM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: PAR35
"But the Apple fan bois on FR told us that Apple is perfect."
LIE!!!
Post a link to validate that statement, or STFU and GTHO!
38
posted on
11/28/2017 8:09:48 PM PST
by
TXnMA
("Allah": Satan's current alias | "Islamists": Satan's assassins | "Moderate Muslims": Useful idiots.)
To: Swordmaker
Nah...there’s something much worse about this scenario.
39
posted on
11/28/2017 8:09:51 PM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: IndispensableDestiny
Now that I've played with it for a while, the problem is not that root is enable by default. The problem is that attempting root several times (in my case two) allows root with the root password -- which is null by default. If root had been disabled, you will find it now enabled. Let me try that, IndispensableDestiny, I had disabled root on my MacBook and tried it several times and it did not turn back on as yours did, but let me try several more times... and see if I can replicate your experience.
40
posted on
11/28/2017 8:11:14 PM PST
by
Swordmaker
(My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-80 ... 101-103 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson