osmartormenajr said: The macOS flaw was serious, but patched within a day almost.
Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. But it was not patched within a day.
No it wasn't publicized. There are established bug and vulnerability reporting channels. The guy who suggested it as a solution in a forum has been severely brushed by other members of the forum for not reporting that zero-day to Apple and the dude had to defend himself. And some other dude tried it, then he noticed it was already mentioned in that forum but still not cured, and he decided to go loud on Twitter.
How many of zero-day vulnerabilities have been caught like that? Especially in Windows and Linux worlds? More than 99% of zero-days go unnoticed by the general public. Why? Because there is a market for those. Criminals and secret services buy these zero-day vulnerabilities to develop spyware and other malware. Some skilled dark-minded people look for these zero days not to report to Apple or Microsoft but to sell in black market. The truth is zero-day vulnerabilities is a reality of computing. As long as development occurs zero-day vulnerabilities will occur. You cannot blame Apple for that. You cannot blame Apple either for zero-days going to black market instead of legitimate bug discovery and communication channels. In the opposite you must be happy by witnessing how Apple quickly reacted to a zero-day vulnerability revealed by the vigilance of its user base. The rest is corporate management saga. Apple has enough experience and talented people to re-write its history.
I would never understand an Apple apologist or have empathy for them. Apple software quality is clearly declining since a few years. iOS and macOS have embarrassing bugs affecting everyday quality of life and use with Apple devices. If you deny this, you are not objetive and you think what you want to think.
Apple needs to severely improve their software quality.
The other day I tried to scan documents in my iOS notes (the new feature they released with Notes). When you do that, and save PDF to iCloud drive, it does not let you rename the scanned documents to something meaningful. It will only append 1, 2, 3, etc at the end of the generic file name. That is, when it works and doesn't just hang there frozen. So, this is not a big deal, but does show that details are not sweated any longer as they used to. I understand they have more and more features to sweat the details on, but they also have grown as a company. That's one. Another one I haven't gotten to the bottom of is how come phone calls are not routed to lightning adapter featuring 3.5 analog jack, only music and other audio. I use one of those dongles that lets you charge your phone while in the car (GPS), and also hookup to the car's AUX port for audio. So, yeah, headphone jack removed, and had to buy a dongle, but what the heck, doesn't work. So Apple, to me at least, doesn't just work as much as it used to.
Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. [...]
No it wasn't publicized. There are established bug and vulnerability reporting channels. The guy who suggested it as a solution in a forum has been severely brushed by other members of the forum for not reporting that zero-day to Apple and the dude had to defend himself. And some other dude tried it, then he noticed it was already mentioned in that forum but still not cured, and he decided to go loud on Twitter. [...]
Yes. If anyone catches heat for this, it will be the people who oversee the Developer and AppleSeed forums and reporting channels. Apple should have known about it, but didn't. Something went wrong there.
I used to be a regular AppleSeed participant on the permanent list, back in the day, due to my particular knowledge of Chinese-language computing -- I don't have time to do it these days and I don't get the invitations anymore, but reporting bugs (and testing fixes) was our sole purpose. But this discovery was in a developer forum, where the priorities are a little different. Still, it should have been reported, and I guess maybe that didn't happen?
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. [...]
No it wasn't publicized. There are established bug and vulnerability reporting channels. The guy who suggested it as a solution in a forum has been severely brushed by other members of the forum for not reporting that zero-day to Apple and the dude had to defend himself. And some other dude tried it, then he noticed it was already mentioned in that forum but still not cured, and he decided to go loud on Twitter. [...]
Yes. If anyone catches heat for this, it will be the people who oversee the Developer and AppleSeed forums and reporting channels. Apple should have known about it, but didn't. Something went wrong there.
I used to be a regular AppleSeed participant on the permanent list, back in the day, due to my particular knowledge of Chinese-language computing -- I don't have time to do it these days and I don't get the invitations anymore, but reporting bugs (and testing fixes) was our sole purpose. But this discovery was in a developer forum, where the priorities are a little different. Still, it should have been reported, and I guess maybe that didn't happen?
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
The last guy is a web developer. The first guy apparently draws a low profile. Both of them may not be seasoned macOS/iOS developers. Web and Mac development cultures are significantly different. They may not be aware of the proper bug submission channels of Apple, if they used whatever "Contact Us" form they found being informed of the bug and cataloguing it may take more time than with the appropriate channels. Anyway, let's be realistic: do we read every message in Apple support forums besides going from page to page with quick glances? In a general discussion forum and in a loose-leaf talk the moderator may have failed to notice it, unless that forum is specifically dedicated to bug reporting, which is not.
Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. [...]
No it wasn't publicized. There are established bug and vulnerability reporting channels. The guy who suggested it as a solution in a forum has been severely brushed by other members of the forum for not reporting that zero-day to Apple and the dude had to defend himself. And some other dude tried it, then he noticed it was already mentioned in that forum but still not cured, and he decided to go loud on Twitter. [...]
Yes. If anyone catches heat for this, it will be the people who oversee the Developer and AppleSeed forums and reporting channels. Apple should have known about it, but didn't. Something went wrong there.
I used to be a regular AppleSeed participant on the permanent list, back in the day, due to my particular knowledge of Chinese-language computing -- I don't have time to do it these days and I don't get the invitations anymore, but reporting bugs (and testing fixes) was our sole purpose. But this discovery was in a developer forum, where the priorities are a little different. Still, it should have been reported, and I guess maybe that didn't happen?
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
There’s a myth grown up on this forum, based largely on bog all evidence, that the Apple developer forums are for developers to talk amongst them selves. In fact while other external developers can help , these forums which you have to log into with your developer ID to access (therefore it costs $99) are for talking to Apple, and Apple engineers. And on many sub forums the Apple engineers are excellent. On this one, they were absent.
Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??
Guessed the byline by the headline.
"Major problems did not affect me, therefore they are not major problems."
I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
The Note 7 burning someone’s SUV to the floorboards qualifies as? I would think ‘disaster’ would be reserved for such.
Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??
Guessed the byline by the headline.
"Major problems did not affect me, therefore they are not major problems."
I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
The Note 7 burning someone’s SUV to the floorboards qualifies as? I would think ‘disaster’ would be reserved for such.
I already weighed in on this a few comments later. Not all disasters are equivalent, and I still don’t think the word disaster is hyperbole for this series of incidents. It’s a very bad, no good, shitty week for Apple and its reputation. And I hope they will (and fully expect them to) turn it around.
Supposedly the flaw was publicized on Apple’s developer forums months ago, over the summer. It just didn’t get wide publicity until Tuesday. [...]
No it wasn't publicized. There are established bug and vulnerability reporting channels. The guy who suggested it as a solution in a forum has been severely brushed by other members of the forum for not reporting that zero-day to Apple and the dude had to defend himself. And some other dude tried it, then he noticed it was already mentioned in that forum but still not cured, and he decided to go loud on Twitter. [...]
Yes. If anyone catches heat for this, it will be the people who oversee the Developer and AppleSeed forums and reporting channels. Apple should have known about it, but didn't. Something went wrong there.
I used to be a regular AppleSeed participant on the permanent list, back in the day, due to my particular knowledge of Chinese-language computing -- I don't have time to do it these days and I don't get the invitations anymore, but reporting bugs (and testing fixes) was our sole purpose. But this discovery was in a developer forum, where the priorities are a little different. Still, it should have been reported, and I guess maybe that didn't happen?
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
There’s a myth grown up on this forum, based largely on bog all evidence, that the Apple developer forums are for developers to talk amongst them selves. In fact while other external developers can help , these forums which you have to log into with your developer ID to access (therefore it costs $99) are for talking to Apple, and Apple engineers. And on many sub forums the Apple engineers are excellent. On this one, they were absent.
Where’s the myth? The conversation in the thread was not actually about the root bug. It was about something else that some fella used the root bug to fix. I certainly don’t expect Apple engineers to monitor every single conversation on the off-chance that developers might discover something the need to know. The proper channel is to fill out a bug report, which no one did.
This was a failure in the quality assurance process, not a failure in the underlying programming language, nor was it a failure in message board reading.
But having said that, I wonder if Apple could look at some sort of AI solution for monitoring developer forums.
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
The guy said he was not a professional hacker so it wasn’t his job to report it.
1) QA failed with the root access bug and it seems that if a fundamental access issue happened then something significant has happened underneath the hood of MacOS that they haven't really touted. This in turn means that significant changes have happened and that more bugs are potnetially in the wind.
2) The date bug is odd. Whats the significance of the date where the issue happened (I'd be looking at programmers birthdays for a start) but this is a problem that even QA would have difficulty finding as it occurs on a date and it would be hard to test every single date to see if an issue is going to happen.
The timing of the two is unfortunate and as Neil has said its a bad week at the office for Apple. They also repsonded very quickly to a significant issue even at the expense of releasing a beta with the Apple Pay function not actually ready but they should have noted that prior to the release in the update notes.
Apple has copped it sweet and admitted the fault and expedited the resolution and life rolls on. I hope that they make sure that the information is more widely distributed so that non tech people get on the bandwidth and update as well (regardless of the negative publicity).
Apple has been trying to manage these sorts of issues better with more widespread beta versions to try and find problems that have not come out on routine screening but as the software becomes more complex it becomes harder to run all the scenarios that may happen and we have to expect that every so often a big bug gets through and as long as they recognise it early and fix it quickly then thats the best that can happen.
Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??
Guessed the byline by the headline.
"Major problems did not affect me, therefore they are not major problems."
I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
By the same exact token -- just because some people experienced problems doesn't mean many or most. I've been with family all thru and after Thanksgiving, all Apple devices, and none of us were in a living nightmare because none of us experienced any problems. Sure bugs exist, but the way the techie echo chamber makes it out you'd think everyone's devices were failing everywhere. They aren't.
If you found out that your front door lock didn't work properly, even though no actually one took advantage of it and broke into your home, would you give the lock company a pass for their mistake? The root bug in macOS is an embarrassment for Apple, and they deserve to be taken to task for it.
My iPhone X was not affected by the iOS 11.1.2 bug, but my wife's was. Took multiple attempts to install the 11.2 update because the springboard kept repeatedly crashing. On any week, that would be a bad bug. On this week, it's the capstone for an unfortunate series of self-inflicted wounds.
Your lock analogy is poor. Most people don’t have their macs out in the open making it available for anyone to access. Also, if they did, it would be locked via a password, you know, the door lock of our macs.
And I see that your personal device was affected. Sorry to hear that but normally people who have problems with their devices don’t get to pen an entire article in a reputable online magazine riddled with hyperbolic phrasing depicting a sky is falling on us Apple users. Most, as in an extremely large number, of us were not affected by the springboard crash and no one was affected by the root password bug.
That's the macOS bug - root, the most powerful user your computer can have, more powerful than an admin user, so powerful that Apple has disabled it by default since OS X launched in 2001 - root shipped enabled, without a password. Your computer on High Sierra was open to all, locally and over the network if you had a publicly routable address. If your Mac was out in the open, it was available for anyone to access, regardless of whether or not your user account has a password. Root, the more powerful account, did not have a password. Root is capable of creating, deleting and modifying your admin user without the admin user's password.
The lock analogy is apt.
To say that no one was affected by it is a bad presumption. If you rely on knowing with certainty that your computer is secure, the only thing you can do here is erase and reinstall. You simply have no idea what actions were taken if someone remotely accessed your computer with the root account. Essentially, if root is enabled and has no password, your computer is not yours to control. That's not hyperbole. You can suspect that you weren't affected by it and carry on as if nothing happened, but that's you gauging your risk and comfort-level, not being 100% certain to a level that can withstand a security audit that your machine wasn't compromised.
Last summer, the Mirai botnet compromised a number of webcams and routers which either shipped with a default password in them that could not be changed, or default passwords that the user had not been encouraged to change when setting them up. A Mac root user botnet was possible here, because there was no default password, there was no password at all.
I know people will think I'm making more out of this bug than there is. I disagree: if you're at all concerned about the security integrity of your machine, the only way to be sure is to erase. If you're interested in security configurations for macOS, https://csrc.nist.gov/Projects/APPLE-OS-X-SECURITY-CONFIGURATION is a good place to begin reading.
I've been the managing editor of AppleInsider for 8 and a half years...
Can you explain the decline in the number of posts? Articles used to get hundreds of replies, but nowadays it seems only every now and then an article receives over 30 posts. Most articles are getting single digit posts, making this site feel like a ghost town. There used to be really great discussions on all things tech, which I always loved to read and participate in.
Apple became successful. 8 years ago, Apple was still the underdog. The iPhone was beginning to get popular, Macs were becoming more prevalent, and Apple fans would congregate at their favorite sites to discuss Apple and all things tech. With Apple's success, the need to have specific places to gather has diminished. You could just as well ask why the MacWorld conference ended, why MacWorld magazine closed up print operations, why MacUser is gone, why MacFixIt is gone, why MacNN is gone, and others I can't recall right now.
Apple has put more emphasis on hiring based on skin color and gender identity instead of ability and talent (not that these are mutually exclusive). This is the result of a PC culture run amok.
Tim Cook has got to go. His five year grace period is up. He was able to coast on the ideas of Steve after his death but not it's time for new innovative leadership.
Apple has put more emphasis on hiring based on skin color and gender identity instead of ability and talent (not that these are mutually exclusive). This is the result of a PC culture run amok.
Tim Cook has got to go. His five year grace period is up. He was able to coast on the ideas of Steve after his death but not it's time for new innovative leadership.
Maybe the issue is that people with talent were excluded specifically for their skin colour/race (watch 'Hidden Figures' as an example) and Tim is leading from the front making employment merit and NOT race/skin colour based. Apple is on of the the largest companies in the world with cutting edge products witha logistics system that is finally catching up with demand. I think Tim is probably doing ok and he as the head of Apple should be promoting equality and meritocracy. That is leadership.
Hyperbolic piece, our week after Thanksgiving was joyous and without issue on any of our devices? What are we doing wrong??
Guessed the byline by the headline.
"Major problems did not affect me, therefore they are not major problems."
I said Apple, the company, had a week that was not joyous. By any measure it was a public relations disaster. I am genuinely glad to hear your week was joyous, though.
By the same exact token -- just because some people experienced problems doesn't mean many or most. I've been with family all thru and after Thanksgiving, all Apple devices, and none of us were in a living nightmare because none of us experienced any problems. Sure bugs exist, but the way the techie echo chamber makes it out you'd think everyone's devices were failing everywhere. They aren't.
If you found out that your front door lock didn't work properly, even though no actually one took advantage of it and broke into your home, would you give the lock company a pass for their mistake? The root bug in macOS is an embarrassment for Apple, and they deserve to be taken to task for it.
My iPhone X was not affected by the iOS 11.1.2 bug, but my wife's was. Took multiple attempts to install the 11.2 update because the springboard kept repeatedly crashing. On any week, that would be a bad bug. On this week, it's the capstone for an unfortunate series of self-inflicted wounds.
Your lock analogy is poor. Most people don’t have their macs out in the open making it available for anyone to access. Also, if they did, it would be locked via a password, you know, the door lock of our macs.
And I see that your personal device was affected. Sorry to hear that but normally people who have problems with their devices don’t get to pen an entire article in a reputable online magazine riddled with hyperbolic phrasing depicting a sky is falling on us Apple users. Most, as in an extremely large number, of us were not affected by the springboard crash and no one was affected by the root password bug.
That's the macOS bug - root, the most powerful user your computer can have, more powerful than an admin user, so powerful that Apple has disabled it by default since OS X launched in 2001 - root shipped enabled, without a password. Your computer on High Sierra was open to all, locally and over the network if you had a publicly routable address. If your Mac was out in the open, it was available for anyone to access, regardless of whether or not your user account has a password. Root, the more powerful account, did not have a password. Root is capable of creating, deleting and modifying your admin user without the admin user's password.
The lock analogy is apt.
To say that no one was affected by it is a bad presumption. If you rely on knowing with certainty that your computer is secure, the only thing you can do here is erase and reinstall. You simply have no idea what actions were taken if someone remotely accessed your computer with the root account. Essentially, if root is enabled and has no password, your computer is not yours to control. That's not hyperbole. You can suspect that you weren't affected by it and carry on as if nothing happened, but that's you gauging your risk and comfort-level, not being 100% certain to a level that can withstand a security audit that your machine wasn't compromised.
Last summer, the Mirai botnet compromised a number of webcams and routers which either shipped with a default password in them that could not be changed, or default passwords that the user had not been encouraged to change when setting them up. A Mac root user botnet was possible here, because there was no default password, there was no password at all.
That's just plain wrong. A root botnet is virtually no longer possible in macOS. With El Capitan 10.11 Apple introduced "rootless" mode, officially named System Integrity Protection. "System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system. Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app."
As Apple puts it, SIP is designed to prevent malware modifications of critical parts. Interactive modifications by the hand of such a root user still present significant danger, if the intruder gets local or networked physical access to the Mac. That's worth noting again and again.
I know people will think I'm making more out of this bug than there is. I disagree: if you're at all concerned about the security integrity of your machine, the only way to be sure is to erase. If you're interested in security configurations for macOS, https://csrc.nist.gov/Projects/APPLE-OS-X-SECURITY-CONFIGURATION is a good place to begin reading.
That NIST article is outdated since it pertains to OS X 10.10 Yosemite only. With OS X 10.11 El Capitan things have significantly changed as explained in the Apple support document above.
Comments
How many of zero-day vulnerabilities have been caught like that? Especially in Windows and Linux worlds? More than 99% of zero-days go unnoticed by the general public. Why? Because there is a market for those. Criminals and secret services buy these zero-day vulnerabilities to develop spyware and other malware. Some skilled dark-minded people look for these zero days not to report to Apple or Microsoft but to sell in black market. The truth is zero-day vulnerabilities is a reality of computing. As long as development occurs zero-day vulnerabilities will occur. You cannot blame Apple for that. You cannot blame Apple either for zero-days going to black market instead of legitimate bug discovery and communication channels. In the opposite you must be happy by witnessing how Apple quickly reacted to a zero-day vulnerability revealed by the vigilance of its user base. The rest is corporate management saga. Apple has enough experience and talented people to re-write its history.
I used to be a regular AppleSeed participant on the permanent list, back in the day, due to my particular knowledge of Chinese-language computing -- I don't have time to do it these days and I don't get the invitations anymore, but reporting bugs (and testing fixes) was our sole purpose. But this discovery was in a developer forum, where the priorities are a little different. Still, it should have been reported, and I guess maybe that didn't happen?
If it was reported in the proper channels, but was ignored, then that's a big problem. How did the guy who first found it defend himself? By saying he did in fact report it? Have the developer forums and reporting mechanisms gotten so big and unwieldy that something as serious as this can get lost in the noise?
Back doors are not built in the front.
Where’s the myth? The conversation in the thread was not actually about the root bug. It was about something else that some fella used the root bug to fix. I certainly don’t expect Apple engineers to monitor every single conversation on the off-chance that developers might discover something the need to know. The proper channel is to fill out a bug report, which no one did.
This was a failure in the quality assurance process, not a failure in the underlying programming language, nor was it a failure in message board reading.
But having said that, I wonder if Apple could look at some sort of AI solution for monitoring developer forums.
The guy said he was not a professional hacker so it wasn’t his job to report it.
1) QA failed with the root access bug and it seems that if a fundamental access issue happened then something significant has happened underneath the hood of MacOS that they haven't really touted. This in turn means that significant changes have happened and that more bugs are potnetially in the wind.
2) The date bug is odd. Whats the significance of the date where the issue happened (I'd be looking at programmers birthdays for a start) but this is a problem that even QA would have difficulty finding as it occurs on a date and it would be hard to test every single date to see if an issue is going to happen.
The timing of the two is unfortunate and as Neil has said its a bad week at the office for Apple. They also repsonded very quickly to a significant issue even at the expense of releasing a beta with the Apple Pay function not actually ready but they should have noted that prior to the release in the update notes.
Apple has copped it sweet and admitted the fault and expedited the resolution and life rolls on. I hope that they make sure that the information is more widely distributed so that non tech people get on the bandwidth and update as well (regardless of the negative publicity).
Apple has been trying to manage these sorts of issues better with more widespread beta versions to try and find problems that have not come out on routine screening but as the software becomes more complex it becomes harder to run all the scenarios that may happen and we have to expect that every so often a big bug gets through and as long as they recognise it early and fix it quickly then thats the best that can happen.
Cheers Dr Hawk
And I don’t agree that someone should necessarily get fired for this, especially if this is a problem with the way the development process is managed.
The lock analogy is apt.
To say that no one was affected by it is a bad presumption. If you rely on knowing with certainty that your computer is secure, the only thing you can do here is erase and reinstall. You simply have no idea what actions were taken if someone remotely accessed your computer with the root account. Essentially, if root is enabled and has no password, your computer is not yours to control. That's not hyperbole. You can suspect that you weren't affected by it and carry on as if nothing happened, but that's you gauging your risk and comfort-level, not being 100% certain to a level that can withstand a security audit that your machine wasn't compromised.
Last summer, the Mirai botnet compromised a number of webcams and routers which either shipped with a default password in them that could not be changed, or default passwords that the user had not been encouraged to change when setting them up. A Mac root user botnet was possible here, because there was no default password, there was no password at all.
I know people will think I'm making more out of this bug than there is. I disagree: if you're at all concerned about the security integrity of your machine, the only way to be sure is to erase. If you're interested in security configurations for macOS, https://csrc.nist.gov/Projects/APPLE-OS-X-SECURITY-CONFIGURATION is a good place to begin reading.
Tim Cook has got to go. His five year grace period is up. He was able to coast on the ideas of Steve after his death but not it's time for new innovative leadership.
Cheers Dr Hawk
"System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system.
Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app."
https://support.apple.com/en-us/HT204899
As Apple puts it, SIP is designed to prevent malware modifications of critical parts. Interactive modifications by the hand of such a root user still present significant danger, if the intruder gets local or networked physical access to the Mac. That's worth noting again and again.
That NIST article is outdated since it pertains to OS X 10.10 Yosemite only. With OS X 10.11 El Capitan things have significantly changed as explained in the Apple support document above.