Posted on 11/28/2017 2:59:34 PM PST by grey_whiskers
Update: Apple has acknowledged the issue and is working on it. Statement and workaround below.
Wow, this is a bad one. On Macs running the latest version of High Sierra 10.13.1 (17B48) it appears that anyone can log in just by putting root in the user name field. This is a huge, huge problem. Apple will fix it probably within hours, but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally youd click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.
(Excerpt) Read more at techcrunch.com ...
Don’t waste your time proving it. I’ve done it years ago several times and they always makes up an excuse.
Damn, you're right! It took me five tries and it re-enabled root with what ever password I put in. So, the best move is to enter a password/passcode into your ROOT and leave it enabled or disabled but WITH a passcode that only you know. That will solve the problem of anyone else getting in. Thanks for your being persistent.
Looks like I touched a nerve. Come on. Apple was only down a little over a half a percent today. (-.59%) and Microsoft was up 1.22%. Don’t worry. Apple will probably rebound by the end of the year. If you don’t have to sell, your losses aren’t real.
Nah, there is a fix. It's essentially the same but it's follow the same steps but then ADD A complex password that is not null. Then it doesn't matter.
No, really. It IS something people make up and post, that Apple fans say the product is perfect.
Happens all the time here. Even in this thread. It is as if Apple is living rent-free in their heads, they sound that obsessed.
Just remember, with Apple
“You. Don’t. Need. Antivirus.”
http://www.freerepublic.com/focus/f-chat/2323040/posts
Years ago -- many years ago -- there were still a few die-hard Apple fanbois who repeated the mantra that Macs were immune to malware, or were bug-free, or similar hopeful but not-quite-true tales.
That situation has completely changed, now that a lot more Macs are in the world, a lot more hackers are devoting a lot more time to hacking Macs.
And so nearly every Mac fanboi has changed their tune, recognizing that the world has changed.
I recommend that you (for-q-clinton and PAR35) do the same, since you sound inane, and awfully stupid, parroting Apple Hate crap that stopped being true many years ago, just so you can bash your fellow FReepers. Is it really that important to take a dump in the punchbowl, that you have to do it every chance you get?
----------------
That said, I sure wish I could calm down the Windows-hating and Microsoft-hating FReepers who inundate the Windows threads. There's some real venom there, too.
...I may have to consider buying a new iMac, mine is 10 years old now, and only has 4 Gig of RAM (uogradeable to 6).
At that time, what Swordmaker write was basically true -- antivirus on a Mac was gilding the lily. There were no viable viruses in the wild that could attack OS X.
OTOH, there was malware -- not viral, but things like Trojans -- that could attack a Mac user, and thereby attack OS X. The user is always the weakest link.
Swordmaker's claim stopped being strictly true, not so much because of real OS X viruses, but because pretty much everybody started using the term "virus" when they meant "malware". By conflating the two terms, it became possible for the tech press to write headlines with "Apple" and "Mac" that included terms like "malware" and "virus" and "bug" and "flaw". Clickbait headlines.
Anyway, all you did was substantiate my statement that virtually no one still says the fanboi things you attribute to your fellow FReepers.
Time to lighten up.
I love it!
Thank God I’m still on El Capitan.
No because years ago I said macs were secure by obscurity and then mocked by swordmaker and others who worshiped apple.
Now that want to act like our never happened. They can apologize and admit that we’re completely wrong and I was right. Then I’m let it go.
That link to an FR article was from 2009 EIGHT years agotalking about Mac OS version five and we are now on version 13.
Guess what, PAR35? You STILL do not need antivirus on a Mac nor do you need one on an iPhone.
What does THAT have to do with the false drivel you claimed?
I manage an office with over twenty Macs and have many clients with other Macs. Not a single one of them has ever run any third party antivirus software and they literally do not need it, nor have any of them ever been infected with a computer virus.
None of that has nothing to do with Apple users never claiming that Macs being "perfect."
Somebody’s gonna get fired.
Damn sleepy eyes and autocorrect. I fix it tomorrow to make sense... Good night all
...and vi forever.
OS X's security is by design, not obscurity. Learn something about Unix, it'll do ya good.
What HAS changed is that the Mac's rise in popularity made it a better target for malware that attacks the USER -- Trojans and so forth. Those aren't attacking the operating system. They work through the weak link -- the user.
So your premise is flawed. The loss of Mac obscurity caused a huge rise in malware that could attack Mac users, as it had been attacking Windows users for decades. But (with a few notable exceptions, like the one that is the topic of this thread), OS X is still one of the most secure operating systems in use, exceeded only by pure Unix and Linux, which still benefit from an obscurity of which Apple only has vague memories.
So don't hold your breath for an apology from the Apple fans. They weren't "completely wrong", and you were only partly right.
Be careful now, your face is starting to turn blue... :-)
I sure hope so.
This is likely the worst security f*ckup I've seen from Apple in memory. And my memory goes back to the Apple I.
Actually it is still true that there is no need to run a third party antivirus on a Mac. The only thing in the wild is the same thing there was nine-years agoTrojans. And the Trojans are still basically the same as they were. There were about 40 Trojans in 2009 and there are about 150 now in just eight distinct families that affect Macs. All of those are identified by the Mac's operating system which will warn the user if they are downloaded, installed, or first run and require the user to provide an ADMINISTRATOR'S NAME and PASSWORD before such actions can continue, not just a simple "OK". . . therefore it takes industrial strength stupid users to get infected by such malware on a Mac.
Apple's built-in protection is more than adequate without buying and running antivirus or even antimalware apps. The problem is that all third-party apps that provide this function TURN OFF Apple's already effective and unobtrusive protection so they can intercept such malware so they will show the user they are doing their job! Yet the third-party software always has an impact on system performance without providing any more protection that what Apple already provided.
Some new vectors of attack have developed in the past three years. . . but these vectors are not something a software antivirus could ever defend against. Such vectors were hardware based through USB and Thunderbolt devices and required FIRMWARE updates to lockout the ability to add changes to the controlling firmware from external hardware invasive sources. Apple closed those off by firmware updates. . . and by locking the system through one more additional layer beyond root access that can't be accessed except through a boot process with a separate password. Such things are not and cannot be protected by software that will not be booted until after the system loads. The only possible protection has to hardware and system security that Apple has added.
> ...it is still true that there is no need to run a third party antivirus on a Mac... Apple's built-in protection is more than adequate without buying and running antivirus or even antimalware apps... All third-party apps that provide this function TURN OFF Apple's [built-in] protection...
What the...? If an application level program can turn off the operating system's built-in protection, then that built-in protection is worthless, because a Trojan-borne piece of malware can do the same thing, and all it takes is tricking the user into typing a password. We all know how easy that is.
Security should be by design, not bolt-on, and not disableable (except by recompiling in a sandbox during development). Being able to disable system security defenses in application software is an industrial strength design flaw. For the life of me, I cannot concoct a justification for that design decision.
So what the heck was Apple thinking when they added that particular API? "Let's give applications the ability to pull our pants down to our ankles, so they can look good"?? WTF?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.