I want to make it clear that I think the person who discovered this problem is a complete douchebag. He made this a zero day exploit by announcing it to the world without alerting Apple before hand. The responsible and ethical thing to do would have been to inform Apple of the problem through the proper channels and allow them to fix it before going public. But no, he informed Apple and the world with a damned tweet apparently.
I also want say that I think users who pick and choose whether to apply updates based on perceived problems are idiots and morons. You see it all the time in the forums and Apple discussion threads. “I won’t install such and such update because somebody said it breaks such and such app.” Blathering idiocy and this flaw proves it. Apply updates when they are released. Okay, wait a few days if you must but DO IT.
Yes and no. Security through obscurity is an old Microsoft technique. If you do not push those corporations then they will not act fast enough and turn those things into "features". Should this be told to Apple first? Yes. Should they give deadline to Apple and tell them when this will be public? Yes. Put knife on throat of corporation then it will act properly giving priorities to what's really important.
Too much of street ideology. Compromising professional discipline and justifying malpractice cannot be explained with the sublime goal of "putting the knife on throat of corporation". No corporation may be affected with five-minutes long heroism or tw/spits.
Correct me if I am wrong, and I am sure someone will.
Root user is disabled by default. In order to enable it, the person must have some knowledge beyond the average person. That type of person would know to set a password if enabling root. Besides, doesn't it ask you to create a password when enabling root in Directory Utility? Yes, you can just click the ok button without putting in a password.
The flaw in the system is that you can enable root without a password. But, I hardly call this a dangerous vulnerability for the general public. It should be a very easy fix.
It's dangerous because users in the general public can be vulnerable to someone else using the exploit (such as through screen sharing, for example; there are countless scummy "help" businesses that'll get users to share screens for "tech support").
dewme said: Systems that were gleefully delivered in the 90s with promises to connect everyone into one harmonious online community have been hijacked, weaponized, and turned on their creators and the general public.
And the situation today is proof that humans were not ready for such freedom and responsibility. We can't go on with things the way they are. Already we see instability in world systems and governments that can be directly linked to abuse of technology that was designed by techno-pollyannas who have foisted an electronic Pandora's box upon us due to their short sightedness or outright stupidity. Humans have fallen for this sort of thing before: cars with their phenomenal utility and freedom combined gross pollution and multitudinous environmental impacts; chemical products of almost unlimited uses and variety along with air pollution, water pollution and human physiological harm; genetic engineering with it's potential to utterly change what life actually is and yet almost no controls or governance to ensure it doesn't go horribly wrong. Hey we like our modern tech, but we have not handled it wisely and still aren't.
Correct me if I am wrong, and I am sure someone will.
Root user is disabled by default. In order to enable it, the person must have some knowledge beyond the average person. That type of person would know to set a password if enabling root. Besides, doesn't it ask you to create a password when enabling root in Directory Utility? Yes, you can just click the ok button without putting in a password.
The flaw in the system is that you can enable root without a password. But, I hardly call this a dangerous vulnerability for the general public. It should be a very easy fix.
Anyone sitting with Screen Sharing turned on while on public Wi-Fi could have anyone spot them in Bonjour in the Finder, click screen sharing and do this exploit, and instantly have full visual root access to that person’s Mac via Screen Sharing. How is that not dangerous?
Quick question? Why would you not have set the root password ahead of time? Sure, the fact that the “bug” exposes the account is serious. But, I learned when I first started working with OS X that you set the root password so as to avoid these issues.
Are you telling me that there are millions of OS X machines out there with blank passwords on the root account? That would be like leaving the Administrator account on Windows set to a default or blank password.
I do hope that Apple makes people set a different password on the root account in the future.
By default, root user is disabled in macOS so changing the password initially wouldn't really do anything. Regardless, my 74yr old dad who uses an iMac is not going know to go set a root password, nor did he even know this exists or what it does. Millions of people are in the same boat. A general user shouldn't have to worry about this in the first place. This all on Apple.
We have gotten used to the idea that OS X is just easy to use. In this day and age though, knowing some basic things about your computing devices and how to secure them is vital.
Yes, maybe Apple is at fault here. But I stand behind me comment that it is basic security 101 to set the root password, just like you would set the local administrator accounts password on Windows.
Basic security is to disable root and have folks sudo. This isn’t windows.
Comments