Apple says fix incoming for macOS High Sierra root access bug

24

Comments

  • Reply 21 of 65
    Rayz2016Rayz2016 Posts: 6,957member
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Yup. 

    It’s a shame that the most harmful security hole on MacOS so far was discovered by a gloryhound. 
    edited November 2017 magman1979
  • Reply 22 of 65
    Amateur hour @ Apple. This is one hell of a bug. How can this happen? It means something is really wrong system wide. Bash the discoverer all you want but Apple should be the one to blame here.
    avon b7dysamoria
  • Reply 23 of 65
    kevin keekevin kee Posts: 1,289member
    Amateur hour @ Apple. This is one hell of a bug. How can this happen? It means something is really wrong system wide. Bash the discoverer all you want but Apple should be the one to blame here.
    Calm down. You need to physically giving access for it to work, and even in remote access, the permission to share is required beforehand. It is not as easy as people make you believe. Besides, if it was that serious, Apple could send a patch-fix as early as today. Also, you should always have a password to root. No one can hack you if you have password.
    edited November 2017
  • Reply 24 of 65
    kevin kee said:
    Amateur hour @ Apple. This is one hell of a bug. How can this happen? It means something is really wrong system wide. Bash the discoverer all you want but Apple should be the one to blame here.
    Calm down. You need to physically giving access for it to work, and even in remote access, the permission to share is required beforehand. It is not as easy as people make you believe. Besides, if it was that serious, Apple could send a patch-fix as early as today. Also, you should always have a password to root. No one can hack you if you have password.
    I'm calm :) But it's a huge risk on the work floor. Apple could not send a patch-fix as early as today because it need's to be Q.A'd. And even then it takes some days before that gets seeded & installed by users. I own a media company and we're adding root passwords on all systems tomorrow. Many of them are shared for collaboration. I think you're underestimating the impact. 
    It's a very easy fix for us. What's so bad about this is not so much the discovery, but this having been under the radar for so long. Authentication on a Unix system is something that should be secure at all times and be part of the standard deployment Q.A tests. Failing video card drivers, network issues, high-level security issues...all acceptable within reason. This bug? Gross negligence from Apple.
    edited November 2017
  • Reply 25 of 65
    welshdogwelshdog Posts: 1,897member
    Rayz2016 said:
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    Do companies actually test for this sort of thing - clicking on login several times with several other specific conditions in place?  Seems like an impossible task to conceive of, test for and then catch this sort of random thing.  They'll catch some of these sorts of thing, but not all.
  • Reply 26 of 65
    Rayz2016Rayz2016 Posts: 6,957member
    kevin kee said:
    Amateur hour @ Apple. This is one hell of a bug. How can this happen? It means something is really wrong system wide. Bash the discoverer all you want but Apple should be the one to blame here.
    Calm down. You need to physically giving access for it to work, and even in remote access, the permission to share is required beforehand. It is not as easy as people make you believe. Besides, if it was that serious, Apple could send a patch-fix as early as today. Also, you should always have a password to root. No one can hack you if you have password.
    I’m pretty sure that the vast majority of Mac users have no idea what “root” is. And if root is deactivated then they shouldn’t have to worry about it having a password or not. 

    Apple needs to slam on the development brakes, strip down its entire testing process and find out what went wrong here. This is a level of fail that many of us would be flogging Microsoft/Google/Samsung over, and as we should be holding Cupertino to a higher standard then I’m okay with the roasting they’re getting over this. 
    edited November 2017 magman1979dysamoriamuthuk_vanalingam
  • Reply 27 of 65
    Rayz2016Rayz2016 Posts: 6,957member

    kevin kee said:
    Amateur hour @ Apple. This is one hell of a bug. How can this happen? It means something is really wrong system wide. Bash the discoverer all you want but Apple should be the one to blame here.
    Calm down. You need to physically giving access for it to work, and even in remote access, the permission to share is required beforehand. It is not as easy as people make you believe. Besides, if it was that serious, Apple could send a patch-fix as early as today. Also, you should always have a password to root. No one can hack you if you have password.
    I'm calm :) But it's a huge risk on the work floor. Apple could not send a patch-fix as early as today because it need's to be Q.A'd. And even then it takes some days before that gets seeded & installed by users. I own a media company and we're adding root passwords on all systems tomorrow. Many of them are shared for collaboration. I think you're underestimating the impact. 
    It's a very easy fix for us. What's so bad about this is not so much the discovery, but this having been under the radar for so long. Authentication on a Unix system is something that should be secure at all times and be part of the standard deployment Q.A tests. Failing video card drivers, network issues, high-level security issues...all acceptable within reason. This bug? Gross negligence from Apple.
    +1
  • Reply 28 of 65
    When I set up my mac after a clean install I'll be an admin user, however once I'm done I revert to a standard user and I have another account set up that I can use for admin privileges when necessary. I think this is best practice. Would it not be the case that if one is running as a non admin user that this exploit would be unavailable because you need to be an admin user in order to enable the root user to use the exploit.
  • Reply 29 of 65
    Rayz2016Rayz2016 Posts: 6,957member
    welshdog said:
    Rayz2016 said:
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    Do companies actually test for this sort of thing - clicking on login several times with several other specific conditions in place?  Seems like an impossible task to conceive of, test for and then catch this sort of random thing.  They'll catch some of these sorts of thing, but not all.
    This is an excellent point, but the problem is not what is happening on the screen; the problem is what is going on underneath it. The weirdness of just trying again and getting through points to a logic problem that could not only be tested for, but should have been programmed defensively against. And I’m pretty sure that Apple has done something similar before. 

    Modern software is hard work, so rather than trying to catch every edge case, it’s often easier to look at your code and say, “Right, under no circumstances should THIS ever happen. If we find ourselves in this state, and it doesn’t matter how we got here, log out.”

    And as I said the last time they were this careless:

    The level of fail here is so high I cannot find a meme offensive enough to express it. 
    edited November 2017 dysamoriapropod
  • Reply 30 of 65
    Rayz2016Rayz2016 Posts: 6,957member
    macxpress said:
    Quick question?  Why would you not have set the root password ahead of time?  Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.

    Are you telling me that there are millions of OS X machines out there with blank passwords on the root account?  That would be like leaving the Administrator account on Windows set to a default or blank password.

    I do hope that Apple makes people set a different password on the root account in the future. 
    By default, root user is disabled in macOS so changing the password initially wouldn't really do anything. Regardless, my 74yr old dad who uses an iMac is not going know to go set a root password, nor did he even know this exists or what it does. Millions of people are in the same boat. A general user shouldn't have to worry about this in the first place. This all on Apple. 
    We have gotten used to the idea that OS X is just easy to use. In this day and age though, knowing some basic things about your computing devices and how to secure them is vital.

    Yes, maybe Apple is at fault here. But I stand behind me comment that it is basic security 101 to set the root password, just like you would set the local administrator accounts password on Windows.
    And I stand by my comment that, even in this day and age, this is not something Apple should be expecting its average customer to know how to do, because if they do expect that then it doesn’t “just work”.  
    edited November 2017 dysamoria
  • Reply 31 of 65
    dysamoriadysamoria Posts: 3,430member
    So the "black password" typo is Apple's? They can't even proofread a statement before release anymore?
  • Reply 32 of 65
    Weird. I set a root password eons ago, Leopard or Snow Leopard, or whatever -- I forget. (my iMac is that old.) I just assumed that it remained set throughout all the subsequent OS updates. I never checked it, because although I do use SUDO, I never log in as root. Imagine my surprise to discover that, as far as High Sierra was concerned, no root password had been set. Go figure....
    edited November 2017 dysamoria
  • Reply 33 of 65
    Rayz2016 said:
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    The issue cannot tolerate much speculation. One thing is clear, this is very unusual, very bad, and is something that doesn’t fit into the usual patterns of bugs. As such, it can only happen once since Apple will take necessary measures to prevent similar incidents.
  • Reply 34 of 65
    Rayz2016 said:
    welshdog said:
    Rayz2016 said:
    And the person(s) responsible for this bug should be dealt with appropriately. This is not by accident.
    Even if it was deliberate, such a glaring security hole should have been caught somewhere along the line. 

    Ths is a perfect storm of epic failures. 
    Do companies actually test for this sort of thing - clicking on login several times with several other specific conditions in place?  Seems like an impossible task to conceive of, test for and then catch this sort of random thing.  They'll catch some of these sorts of thing, but not all.
    This is an excellent point, but the problem is not what is happening on the screen; the problem is what is going on underneath it. The weirdness of just trying again and getting through points to a logic problem that could not only be tested for, but should have been programmed defensively against. And I’m pretty sure that Apple has done something similar before. 

    Modern software is hard work, so rather than trying to catch every edge case, it’s often easier to look at your code and say, “Right, under no circumstances should THIS ever happen. If we find ourselves in this state, and it doesn’t matter how we got here, log out.”

    And as I said the last time they were this careless:

    The level of fail here is so high I cannot find a meme offensive enough to express it. 
    If so, then that is your clue.
  • Reply 35 of 65
    fastasleep said:
    I just did it on a random Mac in my office just now and screenshared into a brand new root Desktop. From there you can do anything.
    Boy do I envy you. Working in an office with Macs. I used to work with Macs, but they were migrating to Windows during my 2nd week there.
  • Reply 36 of 65
    stuke said:
    Welcome to the world of “hurry up and push it our before we really finish.”  Apple, of all people!

    Exactly! That's why I'm getting the HomePod in time for Christmas!! /s
    randominternetperson
  • Reply 37 of 65
    Actually the enabling of root and even its compromise is no longer as critical as it sounds because Apple has introduced the "rootless" mode with El Capitan. Officially this is called "System Integrity Protection" and disabling it is not a trivial task. All critical root functions are assigned to processes signed by Apple. So, don't worry, you cannot be your machine's "root" even if you enable the Root user, no one can be. Apple itself is your machine's actual "root" user since El Capitan.

    https://support.apple.com/en-us/HT204899

    edited November 2017
  • Reply 38 of 65
    I remember that there was a huge bug in OSX introduced by one extra line of codes copied by a coder. I suspect this might be a similar accident. Someone was working on enabling "root" privilege, the logic somehow got screwed up and left open a huge hole.  
  • Reply 39 of 65
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.

    What if the person who discovered the bug works for Google or Samsung or Huawei? Even then, would you expect that person to report the issue to Apple first? In a similar vein, would you expect Apple's security team to reveal security holes in Android to Google and windows to Microsoft and not go public?

    On your second part, I have an iPad Air which is already slow with iOS 10 (which was accidentally installed by my daughter, I was planning to not update it beyond iOS 9) but still in working condition. Do you think I should install iOS 11 and kill it then and there and throw it to dustbin because it became unusable after a software update? Why should I do it?

    dysamoria
  • Reply 40 of 65
    croprcropr Posts: 1,122member
    lkrupp said:
    I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently. 

    I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
    Don't shoot the messenger.  Apple does not have a history of giving credits to someone who discovered a security bug; on the contrary it tries to deny it and control the communication around it.  And now this attitude backfires.  Apple is 100 % to blame here. 

    By the way this issue is really giving my a very bad taste in the mouth about the the quality assurance at Apple.  The fact that is so easy to reproduce and that consequences are so big, makes me categories this as one of the top security issues of the last 5 years in the  IT world.   No one can any longer finger pointing at Android that it is not secure without thinking about this issue
    dysamoria
Sign In or Register to comment.