Major vulnerability in Apple's macOS provides System Administrator access with few instruc...

2

Comments

  • Reply 21 of 44
    This is a REMOTE EXPLOIT. You can use VNC to trigger it!
    mattinoz said:
    You could have put "Local" in the headline. I'm sure I'm not the only one here looking after a group of Mac for business or family who'd really appreciate direct triage information in the headline.
    dysamoria
  • Reply 22 of 44
    The instructions about the Guest Account just add to the confusion. AI, I think you should remove those steps.
    SpamSandwich
  • Reply 23 of 44
    lkrupplkrupp Posts: 7,311member
    macmarcus said:
    Scary. Yes, this bug is real as I just tried it and enabled root with my own password. Scary scary scary... Apple will move fast on this, no?
    Why is it scary to you? Do a lot people have physical access to your computer?
    dewmeasdasdmagman1979
  • Reply 24 of 44
    lkrupplkrupp Posts: 7,311member
    ben20 said:
    Tim Cook needs to go! I don't even update my Mac anymore, everytime there is another flaw! No excuse this time!
    Pffftt!
    cornchipmagman1979
  • Reply 25 of 44
    ben20 said:
    Tim Cook needs to go! I don't even update my Mac anymore, everytime there is another flaw! No excuse this time!
    You forgot the /s on the end. 
    magman1979
  • Reply 26 of 44
    lkrupp said:
    Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.
    That works too. DO NOT forget the password. In the meantime, some system operations may bug you for it, when you wouldn't ordinarily expect to enter it.
    It cannot be overstated how important it is to remember the root password, if set. 
  • Reply 27 of 44
    This is a horrible bug that was missed by Apple, but lets keep things in perspective.  If a user has physical access to the machine, its already at risk, especially if a firmware password is not enabled on the system.  Disabling root or changing the root password does not prevent someone from accessing your Mac using single user mode (and then accessing system as root), or, booting up your Mac with an external drive with macOS installed on it.

    I never understood the whole guest access thing, but I've always disabled it during "hardening" of a system image, and in hindsight it was probably a good decision.
  • Reply 28 of 44
    I think it needs to be repeated, and I think the original article needs an update, that this is

    ALSO A REMOTE EXPLOIT

    if you have some sharing services enabled (screen sharing, remote management, file sharing too I think, so on).



    Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?

    EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit. 

    Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
    edited November 2017 dysamoria
  • Reply 29 of 44
    My root account has been disabled since day 1.  If I enable root and assign a password, will I start getting prompted for the root password by system processes that use root?
  • Reply 30 of 44
    kevin keekevin kee Posts: 1,076member
    I think it needs to be repeated, and I think the original article needs an update, that this is

    ALSO A REMOTE EXPLOIT

    if you have some sharing services enabled (screen sharing, remote management, file sharing too I think, so on).



    Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?

    EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit. 

    Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
    You need to give password to root. I can't stress enough if you worry about security,

    add a password.

    Problem solved.

    ps: I assume people already know how to add a password to root, but apparently not. Just in case. There are 2 ways to do this, but I prefer below, faster.

    1. Open a terminal window (Command-Space for spotlight, type 'terminal')
    2. Type `sudo passwd root`. Enter your password, and then a new password twice.


    edited November 2017
  • Reply 31 of 44
    SoliSoli Posts: 9,270member
    kevin kee said:
    I think it needs to be repeated, and I think the original article needs an update, that this is

    ALSO A REMOTE EXPLOIT

    if you have some sharing services enabled (screen sharing, remote management, file sharing too I think, so on).



    Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?

    EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit. 

    Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
    You need to give password to root. I can't stress enough if you worry about security,

    add a password.

    Problem solved.

    ps: I assume people already know how to add a password to root, but apparently not. Just in case. There are 2 ways to do this, but I prefer below, faster.

    1. Open a terminal window (Command-Space for spotlight, type 'terminal')
    2. Type `sudo passwd root`. Enter your password, and then a new password twice

    I keep hearing this but why? I've disabled Root access on my Macs and then tested every possible scenario I could think of. Since I never have Guest User enabled there's no Other option during login in which one can input Root as the user, but for the sake of being thorough I did a normal logout which brings me back to a screen to input a username and password (an option you don't get with a boot up with FV2 enabled—a feature I don't care for with macOS since it already tells a would-be their what my username is), and tried using the Root login with a blank password. Nothing. It doesn't work because Root access has been disabled.

    I even brought up Screen Sharing, accessed my Mac via the LAN with its static IP address and tried to use Root to access it. It doesn't work.

    If you're so certain that having both Guest User and Root Access disabled will let someone access my device then please walk me thought the steps so I can test this.
    edited November 2017 Metriacanthosaurus
  • Reply 32 of 44
    I cruise by this site every now and again primarily to read the comments.

    I can't believe the usual "homer" suspects aren't weighing in...They come out in droves to support some of the "editorials"....
  • Reply 33 of 44
    dysamoriadysamoria Posts: 2,283member
    A "black" password, AI? Last paragraph, the text supposedly from Apple.
  • Reply 34 of 44
    dysamoriadysamoria Posts: 2,283member
    Eric_WVGG said:
    Sigh. Apple needs to either scale their ambitions for annual MacOS releases way the fuck back, or return to an 18 month schedule. 

    — Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
    Here here. It's disgusting what today's (actually 2013's) Apple feels is acceptable. 
  • Reply 35 of 44
    SoliSoli Posts: 9,270member
    dysamoria said:
    Eric_WVGG said:
    Sigh. Apple needs to either scale their ambitions for annual MacOS releases way the fuck back, or return to an 18 month schedule. 

    — Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
    Here here. It's disgusting what today's (actually 2013's) Apple feels is acceptable. 
    dysamoria said:
    Eric_WVGG said:
    Sigh. Apple needs to either scale their ambitions for annual MacOS releases way the fuck back, or return to an 18 month schedule. 

    — Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
    Here here. It's disgusting what today's (actually 2013's) Apple feels is acceptable. 
    Have you two thought this through?

    Since iCloud and iOS services syncing though iCloud is a major part of how all their modern OSes work, how exactly would it help Apple to have, say a new iPhone come out in the Autumn and then have to wait for a great feature added to iOS will finally work as expected when macOS won't be updated for 6 to 18 months. 

    There's a clear reason why they announce all the new features at WWDC and release the new OS betas and updated OSes around the same time.

    I also think you two are forgetting that these bugs are not a new thing. You, like most people, have forgotten all the issues that have plagued Apple's HW and SW back when the Mac was their own major product offering. Hell, they even had an egregious bug in macOS about 2 decades ago that would let you log into any account simply by overflowing the buffer by typing in an excessive number of characters into the password field.

    Shit happens and it's unfortunate, especially when it's a security flaw, but nothing is gained by looking at Apple's past through rose-colored glasses.
  • Reply 36 of 44
    To be clear, this only affects High Sierra? Sierra and earlier do not have this vulnerability?
  • Reply 37 of 44
    Mike WuertheleMike Wuerthele Posts: 4,876administrator
    AppleZulu said:
    To be clear, this only affects High Sierra? Sierra and earlier do not have this vulnerability?
    Only High Sierra.
    dysamoria
  • Reply 38 of 44
    lkrupplkrupp Posts: 7,311member
    Soli said:

    Shit happens and it's unfortunate, especially when it's a security flaw, but nothing is gained by looking at Apple's past through rose-colored glasses.
    But it’s all about going negative on Apple at every opportunity, big or small. People wake up in the morning hoping for this stuff. As I said in another thread, so many experts with so little expertise, armchair critics everywhere.

    In the tech universe there have been many critical, apocalyptic, world ending security flaws lately, from the Krack Hack going back to SSL a few years ago. But never have I read a report of a confirmed attack using one of these exploits. As for Apple’s list of flaws I have yet to see someone (credible) come here to report they were compromised by any of them. Flaws come, they get fixed, they go. There is so much hand wringing, so much paranoia, so much hysterical commentary coming from those CLAIMING to be competent in these matters. Just look at the comments in the AI forums. These ‘competent’ experts can’t even agree as to what’s going on and how to deal with it.
    Soli
  • Reply 39 of 44
    I think it needs to be repeated, and I think the original article needs an update, that this is

    ALSO A REMOTE EXPLOIT

    if you have some sharing services enabled (screen sharing, remote management, file sharing too I think, so on).



    Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?

    EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit. 

    Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
    This is FALSE and does not work.
  • Reply 40 of 44
    Time to buy AAPL I guess! Stock getting teeth kicked in right now over panic reporting on this.
Sign In or Register to comment.