Good to see Apple openly admitting that it stumbled and made a mistake, which it has now corrected.
The whole disclosure thing, however, still leaves me feeling cold about current manifestations of human nature and the depths to which they have sunk in terms of respect, consideration, and empathy.
Imagine for a moment that you innocently stumbled upon the fact that the back door of a retail store, say an audio-video store selling big screen TVs, had a broken lock on the back door that the owner didn't know about. Upon closer examination you found that the broken lock would allow you to enter into the storage area of the store and make off with anything in the store's inventory while being completely undetected. Would you:
a. Help yourself to whatever you want in the store's storage area. b. Call all of your friends and tell them know about the broken door lock and potential availability of free stuff for easy pickings. c. Talk to the store owner and let him or her know what you've stumbled upon.
The person who discovered the root flaw decided answer "b" was the right one in this case. I'm sorry, but this doesn't sit well with me. Maybe our current culture has devolved into one where screwing everyone who's not YOU is standard operating procedure, but it still isn't right. Whether it's some small time business owner just trying to get by or a multinational company supporting millions of jobs, families, and shareholders, practicing a tiny bit of consideration for once wouldn't kill the guy. Sure, his good deed would go unnoticed compared to the notoriety he's getting now, but so what.
Very well said. For me, there was a huge dollop of “Now’s a chance to make a name for myself” at the heart of this.
The whole disclosure thing, however, still leaves me feeling cold about current manifestations of human nature and the depths to which they have sunk in terms of respect, consideration, and empathy.
Running 10.13 here and the patch isn't available. So unless I updated to 10.13.1 in order to take advantage of 'mythical creatures and more expressive smiley faces' I would never know I had an issue
This is why you should be keeping your system(s) updated.
“macOS: Come for the mythical creatures and more expressive smiley faces, stay for the security patches.”
The whole disclosure thing, however, still leaves me feeling cold about current manifestations of human nature and the depths to which they have sunk in terms of respect, consideration, and empathy.
I posted on the forum before the patch yesterday that Apple couldn’t create a patch so quickly without doing proper Q.A (which potentially could break other features).
And here we are.
i was expecting this to be a lame "finger in hole" solution, rather than a design mistake correction or a bug repair. Makes me wonder if they're going to properly fix it in a later edition.
Running 10.13 here and the patch isn't available. So unless I updated to 10.13.1 in order to take advantage of 'mythical creatures and more expressive smiley faces' I would never know I had an issue
This is why you should be keeping your system(s) updated.
Updates are what brought this flaw to users in the first place.
Excellent. Oh wait, I didn't even have any issue with root user bug, why should I install this patch. Silly.
@Kevin Kee - you do realise that this bug allows anyone who has physical access to your computer to log in as root (higher than Admin privileges) without a password. Also, if you have file sharing turned on anyone can then access your computer as root.
This is the most serious bug I've ever heard of on an Apple device, glad to see Apple were on the ball and released a fix quickly
@dagaz Apple was most definitely not "on the ball." According to reports, this bug was in the wild for at least several weeks, if not months, and had been discussed publicly on forums. Apple only noticed there was a problem or took it seriously when researchers went to the press this week.
Anyone paying attention to Apple software releases in recent years will have concluded by now that their QA & testing process is totally broken. After this security hole, perhaps the next most memorable facepalm moment was when Apple released an iOS update that prevented you from making phone calls on your iPhone.
Some people at Apple definitely know what they're doing, but the company as a whole keeps dropping the ball when it comes to their software. As a result, I think it's wise to use as little Apple software and services on your Mac as possible, and take proper precautions to lock your Mac down – don't trust their often-vaunted security, because it seems to be mostly marketing.
Excellent. Oh wait, I didn't even have any issue with root user bug, why should I install this patch. Silly.
@Kevin Kee - you do realise that this bug allows anyone who has physical access to your computer to log in as root (higher than Admin privileges) without a password. Also, if you have file sharing turned on anyone can then access your computer as root.
This is the most serious bug I've ever heard of on an Apple device, glad to see Apple were on the ball and released a fix quickly
@dagaz Apple was most definitely not "on the ball." According to reports, this bug was in the wild for at least several weeks, if not months, and had been discussed publicly on forums. Apple only noticed there was a problem or took it seriously when researchers went to the press this week.
Anyone paying attention to Apple software releases in recent years will have concluded by now that their QA & testing process is totally broken. After this security hole, perhaps the next most memorable facepalm moment was when Apple released an iOS update that prevented you from making phone calls on your iPhone.
Some people at Apple definitely know what they're doing, but the company as a whole keeps dropping the ball when it comes to their software. As a result, I think it's wise to use as little Apple software and services on your Mac as possible, and take proper precautions to lock your Mac down – don't trust their often-vaunted security, because it seems to be mostly marketing.
No matter what one's personal views are on Apple, it must be admitted that this was a really bad thing to let happen for macOS. Even if the ability to exploit this were limited to someone being right there with the computer in question, it's a black mark against Apple's quality assurance processes.
Comments
Updates are what brought this flaw to users in the first place.
Apple should just shut the place down and return the money to investors.
Anyone paying attention to Apple software releases in recent years will have concluded by now that their QA & testing process is totally broken. After this security hole, perhaps the next most memorable facepalm moment was when Apple released an iOS update that prevented you from making phone calls on your iPhone.
Some people at Apple definitely know what they're doing, but the company as a whole keeps dropping the ball when it comes to their software. As a result, I think it's wise to use as little Apple software and services on your Mac as possible, and take proper precautions to lock your Mac down – don't trust their often-vaunted security, because it seems to be mostly marketing.