Apple says fix incoming for macOS High Sierra root access bug

Posted:
in macOS edited November 2017
Following revelations that a serious bug in macOS High Sierra allows anyone root access to Macs running Apple's latest operating system, the company on Tuesday said it is working on a fix that will be pushed out in a coming software update.




In identical statements to The Loop's Jim Dalrymple and iMore's Rene Ritchie, Apple says it is crafting a patch for a major macOS High Sierra security hole that grants root level access to a logged-in Mac.

"We are working on a software update to address this issue," Apple said. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a black [sic] password is not set, please follow the instructions from the 'Change the root password' section."

Discovered earlier today, the flaw allows anyone to log in under a Mac's "root" System Administrator without the need for a password. In practice, the exploit merely requires access to System Preferences, and can be performed in a matter of seconds. Nefarious users can also exploit the bug to bypass a Mac's lock screen.

Beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled. Users should disable those features until Apple's update arrives.

As AppleInsider reported when the vulnerability was first aired today, macOS High Sierra users can prevent unauthorized Mac access by disabling the Root User under System Preferences. Alternatively, and as Apple suggests, users can enable the Root account and set a password.

Apple failed to provide a release timeline, but considering the bug impacts system-level directories and is relatively easy to exploit, a software update should be out soon.
«134

Comments

  • Reply 1 of 65
    Well, this is how it should be. Immediate response when there is a really terrible bug.
    jony0
  • Reply 2 of 65
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    macplusplusmac_dogracerhomiemagman1979jony0
  • Reply 3 of 65
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Maybe James Comey had a mole working under Craig Federighi.
  • Reply 4 of 65
    Well, this is how it should be. Immediate response when there is a really terrible bug.
    Hate to say it but...under Steve Apple would be totally silent for weeks until they finally acknowledged it when they released a patch. At least...this is how any other major issue was dealt with.
    magman1979Rayz2016jony0
  • Reply 5 of 65
    Quick question?  Why would you not have set the root password ahead of time?  Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.

    Are you telling me that there are millions of OS X machines out there with blank passwords on the root account?  That would be like leaving the Administrator account on Windows set to a default or blank password.

    I do hope that Apple makes people set a different password on the root account in the future. 
    arthurba
  • Reply 6 of 65
    Quick question?  Why would you not have set the root password ahead of time?  Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.

    Are you telling me that there are millions of OS X machines out there with blank passwords on the root account?  That would be like leaving the Administrator account on Windows set to a default or blank password.

    I do hope that Apple makes people set a different password on the root account in the future. 
    By default, root user is disabled in macOS so changing the password initially wouldn't really do anything. Regardless, my 74yr old dad who uses an iMac is not going know to go set a root password, nor did he even know this exists or what it does. Millions of people are in the same boat. A general user shouldn't have to worry about this in the first place. This all on Apple. 
    magman1979muthuk_vanalingamjony0StrangeDayslarz2112
  • Reply 7 of 65
    lkrupplkrupp Posts: 10,557member
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    edited November 2017 Martin57racerhomiemagman1979randominternetpersonjony0StrangeDaysdocno42
  • Reply 8 of 65
    mknelsonmknelson Posts: 1,120member
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Your evidence?
    maciekskontaktStrangeDaysSpamSandwich
  • Reply 9 of 65
    macxpress said:
    Quick question?  Why would you not have set the root password ahead of time?  Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.

    Are you telling me that there are millions of OS X machines out there with blank passwords on the root account?  That would be like leaving the Administrator account on Windows set to a default or blank password.

    I do hope that Apple makes people set a different password on the root account in the future. 
    By default, root user is disabled in macOS so changing the password initially wouldn't really do anything. Regardless, my 74yr old dad who uses an iMac is not going know to go set a root password, nor did he even know this exists or what it does. Millions of people are in the same boat. A general user shouldn't have to worry about this in the first place. This all on Apple. 
    We have gotten used to the idea that OS X is just easy to use. In this day and age though, knowing some basic things about your computing devices and how to secure them is vital.

    Yes, maybe Apple is at fault here. But I stand behind me comment that it is basic security 101 to set the root password, just like you would set the local administrator accounts password on Windows.
  • Reply 10 of 65
    macxpressmacxpress Posts: 5,801member
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Completely agree 1000% on everything you said. 
    magman1979
  • Reply 11 of 65
    stukestuke Posts: 122member
    Welcome to the world of “hurry up and push it our before we really finish.”  Apple, of all people!
  • Reply 12 of 65
    The third paragraph of this story has an important link to instructions for how to protect your Mac from this serious bug, but the link is not clickable, so I had to copy and paste it...That should probably be fixed. But maybe Lemi Orhan Ergin, the guy who found it, released it immediately to embarrass Apple into offering bug bounties for Mac security vulnerabilities like most companies do, and like Apple has for iOS. Whether or not it should have immediately been disclosed, Apple should still make Mac OS X the best desktop platform possible, and a bug bounty would help. But Mac OS 10.10 (Yosemite) also had a root access bug, which Ars Technica said in Aug 2013 was reported 5 months earlier. And there was another one in 2003.
  • Reply 13 of 65
    macxpress said:
    Quick question?  Why would you not have set the root password ahead of time?  Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.

    Are you telling me that there are millions of OS X machines out there with blank passwords on the root account?  That would be like leaving the Administrator account on Windows set to a default or blank password.

    I do hope that Apple makes people set a different password on the root account in the future. 
    By default, root user is disabled in macOS so changing the password initially wouldn't really do anything. Regardless, my 74yr old dad who uses an iMac is not going know to go set a root password, nor did he even know this exists or what it does. Millions of people are in the same boat. A general user shouldn't have to worry about this in the first place. This all on Apple. 
    We have gotten used to the idea that OS X is just easy to use. In this day and age though, knowing some basic things about your computing devices and how to secure them is vital.

    Yes, maybe Apple is at fault here. But I stand behind me comment that it is basic security 101 to set the root password, just like you would set the local administrator accounts password on Windows.
    It's not security 101 — most Mac users don't even know the root account exists, much less how to enable it, much less set a password for it. In all my years, I've enabled the root user once to do something (don't recall what) and disable it again, but that's it. Never set a password on it once.

    Also note that you'd have to have an *enabled* root account with a strong password to prevent this exploit. If you revert it to disabled again, as it is by default in macOS, you're vulnerable again. So not sure sure what you mean about security 101.
    edited November 2017 muthuk_vanalingammacxpressrandominternetpersonjony0larz2112
  • Reply 14 of 65
    macxpress said:
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Completely agree 1000% on everything you said. 
    Ditto!

  • Reply 15 of 65
    jdwjdw Posts: 1,324member
    ...to ensure a black password is not set...
    As opposed to an ORANGE password?
    dysamoriamuthuk_vanalingam
  • Reply 16 of 65
    Is this bug on El Capitan with the latest patches?
  • Reply 17 of 65
    kevin keekevin kee Posts: 1,289member
    jdw said:
    ...to ensure a black password is not set...
    As opposed to an ORANGE password?
    It's obvious a BLANK password. duh.

    Question, does this impact single user machine with guest login disable? Because in my login page, I can't even switch the username, let alone log in to root.
    edited November 2017
  • Reply 18 of 65
    Is this bug on El Capitan with the latest patches?
    FTFA: "a serious bug in macOS High Sierra"
  • Reply 19 of 65
    Rayz2016Rayz2016 Posts: 6,957member
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    magman1979
  • Reply 20 of 65

    Beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled. Users should disable those features until Apple's update arrives.

    I feel like this is terribly understated — anyone with screen sharing or remote management turned on (for example, may affect file sharing and others too) and sitting on a public wifi network can be discovered and exploited via Bonjour in a matter of seconds. I just did it on a random Mac in my office just now and screenshared into a brand new root Desktop. From there you can do anything.
    magman1979
Sign In or Register to comment.