Apple says fix incoming for macOS High Sierra root access bug

13

Comments

  • Reply 41 of 65
    Rayz2016Rayz2016 Posts: 4,556member
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.

    What if the person who discovered the bug works for Google or Samsung or Huawei? Even then, would you expect that person to report the issue to Apple first? In a similar vein, would you expect Apple's security team to reveal security holes in Android to Google and windows to Microsoft and not go public?


    Actually this is what usually happens. In return for this early disclosure, the company expects the same when the find themselves in a similar situation. 
    randominternetperson
  • Reply 42 of 65
    Rayz2016Rayz2016 Posts: 4,556member

    Rayz2016 said:
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    The issue cannot tolerate much speculation. One thing is clear, this is very unusual, very bad, and is something that doesn’t fit into the usual patterns of bugs. As such, it can only happen once since Apple will take necessary measures to prevent similar incidents.
    But as this fella pointed out, it has happened before:

    getvoxoa said:
    I remember that there was a huge bug in OSX introduced by one extra line of codes copied by a coder. I suspect this might be a similar accident. Someone was working on enabling "root" privilege, the logic somehow got screwed up and left open a huge hole.  
    Yup, that does ring a bell. 
    dysamoria
  • Reply 43 of 65
    Rayz2016Rayz2016 Posts: 4,556member

    cropr said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Don't shoot the messenger.  Apple does not have a history of giving credits to someone who discovered a security bug; on the contrary it tries to deny it and control the communication around it.  And now this attitude backfires.  Apple is 100 % to blame here. 

    By the way this issue is really giving my a very bad taste in the mouth about the the quality assurance at Apple.  The fact that is so easy to reproduce and that consequences are so big, makes me categories this as one of the top security issues of the last 5 years in the  IT world.   No one can any longer finger pointing at Android that it is not secure without thinking about this issue
    And that’s the other thing:

    This kind of foul-up always leads to embarrassingly transparent concern-trolling. 

    As I said, we have to hold Apple to higher standard than we hold their competition. 
    edited November 2017
  • Reply 44 of 65
    Rayz2016Rayz2016 Posts: 4,556member
    Actually the enabling of root and even its compromise is no longer as critical as it sounds because Apple has introduced the "rootless" mode with El Capitan. Officially this is called "System Integrity Protection" and disabling it is not a trivial task. All critical root functions are assigned to processes signed by Apple. So, don't worry, you cannot be your machine's "root" even if you enable the Root user, no one can be. Apple itself is your machine's actual "root" user since El Capitan.

    https://support.apple.com/en-us/HT204899

    There are lot critical functions that fall outside the low level systems that this doesn’t cover. Being able to remote access into the machine for one thing. 
    dysamoria
  • Reply 45 of 65
    Rayz2016 said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.

    What if the person who discovered the bug works for Google or Samsung or Huawei? Even then, would you expect that person to report the issue to Apple first? In a similar vein, would you expect Apple's security team to reveal security holes in Android to Google and windows to Microsoft and not go public?

    Actually this is what usually happens. In return for this early disclosure, the company expects the same when the find themselves in a similar situation. 
    If that is already happening, then great. They are not enemies as many people think them to be, isn't it? More like partners in crime (or in this case business)?
  • Reply 46 of 65
    Rayz2016 said:
    Actually the enabling of root and even its compromise is no longer as critical as it sounds because Apple has introduced the "rootless" mode with El Capitan. Officially this is called "System Integrity Protection" and disabling it is not a trivial task. All critical root functions are assigned to processes signed by Apple. So, don't worry, you cannot be your machine's "root" even if you enable the Root user, no one can be. Apple itself is your machine's actual "root" user since El Capitan.

    https://support.apple.com/en-us/HT204899

    There are lot critical functions that fall outside the low level systems that this doesn’t cover. Being able to remote access into the machine for one thing. 
    Remote Access doesn’t require root privileges. ssh doesn’t allow root login with blank password. The Remote Access intruder must still be on the machine to enable root first.

    Of course it is not harmless. But it is not as harmful as previous root escalations. This vulnerability just provides a more privileged admin account one can login without password, that’s it. That puts mostly users' files and privileges at risk (including iCloud) but not the protected base of the system.

    It is worth noting that, as Apple puts it, System Integrity Protection mostly protects against malware modifications. Interactive modifications by such a "root user" may still create significant damage.
    edited November 2017 dysamoria
  • Reply 47 of 65
    lkrupplkrupp Posts: 6,681member
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.

    What if the person who discovered the bug works for Google or Samsung or Huawei? Even then, would you expect that person to report the issue to Apple first? In a similar vein, would you expect Apple's security team to reveal security holes in Android to Google and windows to Microsoft and not go public?

    On your second part, I have an iPad Air which is already slow with iOS 10 (which was accidentally installed by my daughter, I was planning to not update it beyond iOS 9) but still in working condition. Do you think I should install iOS 11 and kill it then and there and throw it to dustbin because it became unusable after a software update? Why should I do it?

    Google reports bugs to Apple on a regular basis. Try reading the release notes on an Apple security update. A lot of them are credited to Google’s security research team.
    dysamoria
  • Reply 48 of 65
    lkrupplkrupp Posts: 6,681member

    cropr said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Don't shoot the messenger.  Apple does not have a history of giving credits to someone who discovered a security bug; on the contrary it tries to deny it and control the communication around it.  And now this attitude backfires.  Apple is 100 % to blame here. 

    By the way this issue is really giving my a very bad taste in the mouth about the the quality assurance at Apple.  The fact that is so easy to reproduce and that consequences are so big, makes me categories this as one of the top security issues of the last 5 years in the  IT world.   No one can any longer finger pointing at Android that it is not secure without thinking about this issue
    Utter nonsense. Read the release notes of an Apple security update sometime. They always credit the discoverers of flaws.
    edited November 2017
  • Reply 49 of 65
    macxpressmacxpress Posts: 4,754member
    lkrupp said:

    cropr said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Don't shoot the messenger.  Apple does not have a history of giving credits to someone who discovered a security bug; on the contrary it tries to deny it and control the communication around it.  And now this attitude backfires.  Apple is 100 % to blame here. 

    By the way this issue is really giving my a very bad taste in the mouth about the the quality assurance at Apple.  The fact that is so easy to reproduce and that consequences are so big, makes me categories this as one of the top security issues of the last 5 years in the  IT world.   No one can any longer finger pointing at Android that it is not secure without thinking about this issue
    Utter nonsense. Read the release notes of an Apple security update sometime. They always credit the discoverers of flaws.
    Well you never hear anything on AppleInsider for obvious reasons so apparently Apple never gives credit. 
  • Reply 50 of 65
    It’s seems fairly obvious what happened. Normally, the ability to enable root was granted only to an administrator account. The bug was that this was granted to any user.

    Seems a simple fix for a significant security problem. Looks like a few lines of code went missing from previous releases of MacOS. 

    The last time I logged in as root on a Mac was probably over ten years ago. Root needs to exist on Unix operating systems, but nothing I ever had to do requiring extra privileges can’t be done via sudo. 

    I think Apple needs to change the security setup generally. Best practices demands that logging in as an administrator must be the exception and that almost all user activities be from a non-admin account. Out of the box, a MacOS admin user must be created, but it should be created with minimal desktop, no need for email, iCloud, Siri, no references to pages, numbers, keynote, or any other feature a working user would need. Then out of the box, MacOS should require a second account be created that does not have admin authority, which then walks through the full user setup steps. 

    From here on, whenever the system needs to do something requiring admin privileges, it prompts for the admin password, since the current user will always be a user without admin authority.

    This is how I’ve set systems up since forever, which goes back to my first professional jobs in the 1970’s, under unix, and since moving to macs in 2000. 

    It’s malpractice to do otherwise. 


    edited November 2017
  • Reply 51 of 65
    Rayz2016Rayz2016 Posts: 4,556member
    larryjw said:
    It’s seems fairly obvious what happened. Normally, the ability to enable root was granted only to an administrator account. The bug was that this was granted to any user.

    Seems a simple fix for a significant security problem. Looks like a few lines of code went missing from previous releases of MacOS. 

    The last time I logged in as root on a Mac was probably over ten years ago. Root needs to exist on Unix operating systems, but nothing I ever had to do requiring extra privileges can’t be done via sudo. 

    I think Apple needs to change the security setup generally. Best practices demands that logging in as an administrator must be the exception and that almost all user activities be from a non-admin account. Out of the box, a MacOS admin user must be created, but it should be created with minimal desktop, no need for email, iCloud, Siri, no references to pages, numbers, keynote, or any other feature a working user would need. Then out of the box, MacOS should require a second account be created that does not have admin authority, which then walks through the full user setup steps. 

    From here on, whenever the system needs to do something requiring admin privileges, it prompts for the admin password, since the current user will always be a user without admin authority.

    This is how I’ve set systems up since forever, which goes back to my first professional jobs in the 1970’s, under unix, and since moving to macs in 2000. 

    It’s malpractice to do otherwise. 


    This is a good idea. For one thing it would discourage people from running as the admin user all the time. 

  • Reply 52 of 65
    Rayz2016Rayz2016 Posts: 4,556member
    cropr said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Don't shoot the messenger.  Apple does not have a history of giving credits to someone who discovered a security bug; on the contrary it tries to deny it and control the communication around it.  And now this attitude backfires.  Apple is 100 % to blame here. 

    By the way this issue is really giving my a very bad taste in the mouth about the the quality assurance at Apple.  The fact that is so easy to reproduce and that consequences are so big, makes me categories this as one of the top security issues of the last 5 years in the  IT world.   No one can any longer finger pointing at Android that it is not secure without thinking about this issue
    Well, this isn’t really an Android discussion, but since you decided to bring it up…

    I can rant on about this foul up for another hour, but at the end of the day, this is a screw up in the process. I don’t use Android because I believe the number of vulnerabilities and exploits over the years are down to strategy and design. 

    Is this the top security issue in IT over the past 5 years?

    No.  Any data breach involving millions of users tops it. 
  • Reply 53 of 65
    technotechno Posts: 690member
    Correct me if I am wrong, and I am sure someone will.

    Root user is disabled by default. In order to enable it, the person must have some knowledge beyond the average person. That type of person would know to set a password  if enabling root. Besides, doesn't it ask you to create a password when enabling root in Directory Utility? Yes, you can just click the ok button without putting in a password.

    The flaw in the system is that you can enable root without a password. But, I hardly call this a dangerous vulnerability for the general public. It should be a very easy fix.
    edited November 2017
  • Reply 54 of 65
    dewmedewme Posts: 1,929member
    Anything made by humans potentially has flaws, including machines that are designed by humans specifically to avoid the generation of or deal intelligently with the consequences of the human propensity to make mistakes. Getting up on a high horse and mightily posturing, spewing rhetoric about the need for absolute perfection in all things - or else, and demanding that heads must roll for every infraction is nothing more than another incarnation of human frailty, error in judgement, and faulty reason. All humans make mistakes. The smart ones learn from their mistakes, handle problems as avoidable systematic situations, and set themselves up (via closed-loop feedback) to avoid making the same or similar mistakes in the future. The stupid ones yell and scream, handle problems as personal/individual failings, shoot the messenger, punish the guilty, disregard reason, go open-open loop, and thus prime themselves for the next wave of problems that will most definitely show up in short order. 

    Most of the software that's deployed in modern products and at all levels of system architectures, e.g., Intel's latest discovery of serious security flaws in its Core processors and Apple's macOS, have numerous latent flaws in the code base. Most of these are directly attributable to the massive size and complexity of the software and its multitude of interdependencies with various internal, external, and transient components and services, most of which have numerous latent flaws of their own. Proper, much less timely and cost effective, verification and validation of such a stew of potentially flaw-ridden software seems like an almost impossible task, and it very nearly is. It will never be perfect, much like human DNA is never perfect, but companies like Apple are doing everything they can to make it better.

    I do believe that the aggregate software quality by volume is much better today than it has ever been, mostly due to iterative, incremental, test-driven development, and test automation. But there is an ongoing struggle with growth in both absolute volume and complexity and the number and seriousness of existential threats from nefarious individuals and states has never been higher than it is today. Systems that were gleefully delivered in the 90s with promises to connect everyone into one harmonious online community have been hijacked, weaponized, and turned on their creators and the general public. Companies like Apple are between a rock and a hard place and they are doing an amazing job considering the circumstances. Of course they always have to do better, and they will, but they will absolutely make mistakes and stumble along the way. How they learn from those mistakes is what really matters.  
  • Reply 55 of 65
    Just do not reinvent wheel with proper testing. AFS replacing HFS+ and then this plus whole slew of applications for professional work not working. Thank you but we are staying with Sierra until fixes are provided. Lastt thing we want to find out that some bastards use our commerrcial projects in foreign country for profit.
    dysamoria
  • Reply 56 of 65
    technotechno Posts: 690member
    Security update just released. 

    https://support.apple.com/en-ca/HT201222
  • Reply 57 of 65
    dewme said:
    Anything made by humans potentially has flaws, including machines that are designed by humans specifically to avoid the generation of or deal intelligently with the consequences of the human propensity to make mistakes. Getting up on a high horse and mightily posturing, spewing rhetoric about the need for absolute perfection in all things - or else, and demanding that heads must roll for every infraction is nothing more than another incarnation of human frailty, error in judgement, and faulty reason. All humans make mistakes. The smart ones learn from their mistakes, handle problems as avoidable systematic situations, and set themselves up (via closed-loop feedback) to avoid making the same or similar mistakes in the future. The stupid ones yell and scream, handle problems as personal/individual failings, shoot the messenger, punish the guilty, disregard reason, go open-open loop, and thus prime themselves for the next wave of problems that will most definitely show up in short order. 

    Most of the software that's deployed in modern products and at all levels of system architectures, e.g., Intel's latest discovery of serious security flaws in its Core processors and Apple's macOS, have numerous latent flaws in the code base. Most of these are directly attributable to the massive size and complexity of the software and its multitude of interdependencies with various internal, external, and transient components and services, most of which have numerous latent flaws of their own. Proper, much less timely and cost effective, verification and validation of such a stew of potentially flaw-ridden software seems like an almost impossible task, and it very nearly is. It will never be perfect, much like human DNA is never perfect, but companies like Apple are doing everything they can to make it better.

    I do believe that the aggregate software quality by volume is much better today than it has ever been, mostly due to iterative, incremental, test-driven development, and test automation. But there is an ongoing struggle with growth in both absolute volume and complexity and the number and seriousness of existential threats from nefarious individuals and states has never been higher than it is today. Systems that were gleefully delivered in the 90s with promises to connect everyone into one harmonious online community have been hijacked, weaponized, and turned on their creators and the general public. Companies like Apple are between a rock and a hard place and they are doing an amazing job considering the circumstances. Of course they always have to do better, and they will, but they will absolutely make mistakes and stumble along the way. How they learn from those mistakes is what really matters.  
    Ironically, all the points what you said here would apply to Google as well
  • Reply 58 of 65
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Yes and no. Security through obscurity is an old Microsoft technique. If you do not push those corporations then they will not act fast enough and turn those things into "features". Should this be told to Apple first? Yes. Should they give deadline to Apple and tell them when this will be public? Yes. Put knife on throat of corporation then it will act properly giving priorities to what's really important.
    dysamoria
  • Reply 59 of 65
    tundraboytundraboy Posts: 1,608member
    The security update has been released.
  • Reply 60 of 65
    Security Update 2017-001 has been released and the Root user disabled again with the update.
Sign In or Register to comment.