[grey_whiskers]

What H1-B with an IQ of 350 OK'd *this* one?

Who needs Chinese hackers?

[grey_whiskers]

*PING*

[reed13k]

Awesome - I just downloaded this update last week, but didn’t have enough time to remove some stuff I was working on, so I didn’t have room to install it. Now I have a good reason to wait.

[Responsibility2nd]

[CopperTop]

Root-boy Slim anyone? d;^)

[PAR35]

But the Apple fan bois on FR told us that Apple is perfect.

[lgjhn23]

I’ve had this update for awhile now.
I remember there was another update to it immediately following the original and I suspect that second one fixed this.
I just tried it on my machine. Went to preferences, security and tried unlocking the padlock with “root”. It would not let it enter. Using my username and password would.

[for-q-clinton]

Wow... Good thing this wasn’t Microsoft that did it or that would be bad news. Apple fanboys will just consider it a nice feature and thank apple for the easy root.

On a serious note how the hell does this happen? Buffer overruns I understand but just typing root gives you root??? This is serious bad coding, quality review, security design, and leadership.

[proxy_user]

I haven’t kept track. Has Apple abolished root and required all users with root privileges to sudo? That’s what they did in Ubuntu, although by sudo’ing to the shell executable you could still get a rootshell.

[AustinBill]

I’m running 10.13.1 and this bug doesn’t seem to affect me. Perhaps it only affects certain models? In any event Apple should sort it out soon. Agree this is something that never should have gotten out the door.

[ImJustAnotherOkie]

What happens if you type in poop?

[mad_as_he$$]

This has to be fake news. I am sure someone will be along shortly to wave their hands and tell you it is all just an illusion of old and out of date info.

[Swordmaker]

MAJOR OOPS in MacOS HIGH SIERRA, if an Administrator skips a step in creating a ROOT USER and fails to create the Root User password, which should NOT BE POSSIBLE. . . but in MacOXS 10.13.1 High Sierra it somehow was allowed to do so, . . the Root User can be created as "ROOT" or "root", without a password, just as any standard user can be created without a password, allowing anyone to log in with Root User permissions, by just typing in "root" at a user prompt! NOT GOOD. However, if the password IS input, it is secure. It DOES have to be done by an Administrator level user. The flaw is not REQUIRING a password before ROOT is enabled. Apple will push out a fix for this fast. . . It's a hard flaw to notice. . . but someone did. — PING!

Apple macOS 10.13.1
ROOT USER
PASSWORD CREATION
VULNERABILITY
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Swordmaker]

This is a stupid oversight. What it essentially is, is that it has always been an ability of an Administrator User to create a ROOT USER but it should not allow that event to occur without also requiring the input of a password before enabling the Root capabilities.

Creation of normal users can occur without passwords, but this one should NOT ever be allowed without a password and in the past it has been required for this. Apparently, someone was working on this and disabled to forced PW and it did not get re-enabled in the release. The good news is that it requires an Administrator level user to create a Root user, and also physical access to the computer.

It’s an easy fix, and Apple will be pushing out an update that will address it very quickly by returning the password requirement.

[TheStickman]

Stuff like this is why I never upgrade to the newest version of macOS has been out for at least a year.

[Swordmaker]

Apparently there is more to this problem than just allowing Root with no password. Root is enabled by default in the latest macOS High Sierra. That is a huge departure from previous macOS and OSX versions where it was always disabled by default.

Here is how to protect yourself against YOU or anyone exploiting this vulnerability. It is as simple as disabling the Root user.

1. Log into your Mac as an Administrator
2. Open System Preferences
3. Select Users and Groups
4. Unlock the pane by Clicking on the Padlock Icon and entering the Admin User Name and Password
5. Click on Log in Options
6. Click "Join" Network Account Server:
7. Click on Open Directory Utility
8. Unlock this pane by Clicking on the Padlock Icon and entering the Admin User Name and Password
9. Under the Directory Utility Menu Bar, select Edit then click and release on Disable Root User
10. Lock the Padlock Icon on the pane
11. Close the Utility Directory pane window by clicking on the Red Dot
12. Lock the Users & Groups Preference pane
13. Close the Users & Groups Preference pane by clicking on the Red Dot.

Once you have done this, the Root User Abilities are closed down and have to be re-activated by repeating the above procedure and clicking on the drop down menu to ENABLE ROOT USER. . . and ADD a password.

[Swordmaker]

So, after doing some digging, the problem is NOT that the code allows creation of root abilities without a password, but that the ROOT USER is ALREADY enabled with no password under the name ROOT or root. . . and was installed on all macOS 10.13.1 installs.

It's not a problem with the root creation but with the update install being left with a root user still active without a password!

DUMB, DUMBER, and DUMBEST!

Industrial Strength STUPID by someone who just did not look! And some idiot who forgot to DISABLE THE F'ING ACCOUNT in the Gold Master!!!!

Not to mention those in QA, as dayglored pointed out, who just did not notice when they went in and enabled their own ROOT ACCOUNTS that it was already enabled!

[dfwgator]

Thank God I’m still on El Capitan.

[dila813]

Podesta was helping them with security.

[Swordmaker]

Apple has released the fix for this vulnerability on Wednesday, November 29, 2017.

http://www.freerepublic.com/focus/chat/3608949/posts?page=2

[PLMerite]

"it appears that anyone can log in just by putting “root” in the user name field."

Close, but no cigar...