Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Apple update:
Apple Inc ^ | November 29, 2017 | Apple

Posted on 11/29/2017 8:45:14 AM PST by Swordmaker

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier 

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

If you require the root user account on your Mac, you can enable the root user and change the root user's password.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: applepinglist; highsierra; macos10131; securityupdate
Use the Black Apple Menu and select App Store/updates
1 posted on 11/29/2017 8:45:14 AM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: dayglored; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; ...
Apple has released the fix for the Root Password glitch. Download the Apple 10.13.1 High Sierra Security Update 2017-001 from the App Store under the Black Apple Menu Software Update and install it. — PING!


Urgent Apple Security Update
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

2 posted on 11/29/2017 8:48:44 AM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]

This update applies only to users who have installed macOS 10.13.1 High Sierra on their Macs.


3 posted on 11/29/2017 8:49:57 AM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Thanks I just updated my iMac.


4 posted on 11/29/2017 8:55:15 AM PST by Enlightened1
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

It does not even require a system restart. . . and in fact is likely to install without interaction. I have just tested this update and it works as required. The problem is solved and is now a non-issue.


5 posted on 11/29/2017 8:56:34 AM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Thanks Sword. Looks like I’m still running 10.12.4


6 posted on 11/29/2017 8:59:33 AM PST by tubebender
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Thanks, Swordmaker!

I wish you and yours a very Merry Christmas!

S + SJ


7 posted on 11/29/2017 9:00:26 AM PST by Loud Mime (Liberalism: Intolerance masquerading as tolerance, Ignorance masquerading as Intelligence)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Does this exploit require physical access to the computer to bypass credentials?

If so we are safe, and will update after the mad rush is over.

8 posted on 11/29/2017 9:00:42 AM PST by texas booster (Join FreeRepublic's Folding@Home team (Team # 36120) Cure Alzheimer's!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

My GUESS is that someone in the testing group failed to remove this obvious universal access before the ‘Gold Master’ was assembled! What a rotten egg in face, but it will be a red-letter item for all future releases!


9 posted on 11/29/2017 9:06:05 AM PST by SES1066 (Happiness is a depressed Washington, DC housing market!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: texas booster

If one can VPN or otherwise access to an ‘on’ and on-line machine, then doing the ‘root’ logon might be possible. The update takes less than a minute on my 2014 iMac without any need to reboot!


10 posted on 11/29/2017 9:09:11 AM PST by SES1066 (Happiness is a depressed Washington, DC housing market!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Swordmaker
You might find this interesting:
macOS root login vulnerability was shared over two weeks ago as a troubleshooting tip on Apple's own developer forums

https://www.reddit.com/r/programming/comments/7gb191/macos_root_login_vulnerability_was_shared_over/

Note: it's Reddit, so caveat emptor.
11 posted on 11/29/2017 9:15:33 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Thanks for the PING Swordmaker!

And thanks to Apple for patching so quickly.


12 posted on 11/29/2017 10:18:25 AM PST by aMorePerfectUnion
[ Post Reply | Private Reply | To 2 | View Replies]

To: dayglored
macOS root login vulnerability was shared over two weeks ago as a troubleshooting tip on Apple's own developer forums

I wouldn't even couch it in terms of a "vulnerability" being shared. . . but rather as a developer sharing a "cool way" for another developer to get to an Admin account who had screwed up their Admin user account. This particular developer seemed oblivious that what he had actually stumbled across was in fact a very serious vulnerability to the Mac's security.

Note: it's Reddit, so caveat emptor.

Yup, it's Reddit, so they paint it with the broadest, blackest brush they can find with the stickiest tar available.

I read through all 225 responses in the Apple Developers' Forum in question and discovered that the vulnerability in question was not actually reported to Apple but rather, as you pointed out, just "shared" as a cool "fixit tip" to access an admin account, presented to a user who had, it turned out, accidentally screwed up their Admin user's credentials. This particular tip was buried about four nest's deep in a series of "tips" for the user to try. The guy who offered it did not even realize that it provided Root access, but just thought it made the person signing on using this tip an Admin.

It is not, however, one of the Apple moderated forums. It is purely a developers' forum for seeking other developers' comments and their experiences in how developers have handled particular problems they may be having with a problem, not Apple's help. There is another area for that. As I understand it, Apple employed engineers do not participate because of potential liability in these forums due to the possibility that some developer is working on an App that Apple may also be developing an in house version.

Unless this was specifically brought TO Apple's attention, it is unlikely Apple would have seen it in this forum.

A couple of developers commented that it appeared to be a serious security concern that one could get to Root without a password and that shouldn't happen. . . but no one mentioned anything about bringing it properly to Apple's attention back in mid-November. I suspect they'd all forgotten that the forum was not an observed, moderated forum.

13 posted on 11/29/2017 2:46:25 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Loud Mime

Merry Christmas back at both of you, too . . .


14 posted on 11/29/2017 2:47:27 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: texas booster
Does this exploit require physical access to the computer to bypass credentials?

Yes, but someone tried to claim not. It can only be done at the keyboard. It could be avoided by enabling Root yourself and adding a complex password of your own choice. Then it won't work.

15 posted on 11/29/2017 2:49:40 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: tubebender
Thanks Sword. Looks like I’m still running 10.12.4

You are not at risk from this idiotic vulnerability.

16 posted on 11/29/2017 2:50:21 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker

update prevailed .....all good.


17 posted on 11/29/2017 5:16:58 PM PST by Squantos (Be polite, be professional, but have a plan to kill everyone you meet ...)
[ Post Reply | Private Reply | To 2 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson