Jump to content
IGNORED

High Sierra security hole of Biblical proportions


Recommended Posts

Apple outdid themselves on this one.

 

If you are running High Sierra (the latest macOS), in a login window, try entering

 

user: root

password:  <nothing, just hit the return key>

 

It will create a root user account and log you in.  Just like that.  You can now have access to everything on the computer, and have the power to wipe it all out or alter anything.

 

 

Link to comment

Maybe I am to blame.  For years not caring for the Mac side of things, I became fed up with Windows updates taking priority over my hardware vs what I wanted my hardware to do. The final straw was an update in progress un-announced that delayed recording music for nearly 30 minutes.  So I reluctantly purchased a Mac.  Which seems better than I expected.  Still like Linux better, but I have some gear that is Windows or Mac only.  

 

So after a week on Sierra I decide to go with High Sierra.  Then what like two weeks later issues with High Sierra result in a .1 update.  Though my Mac was working fine for my needs.  Then on the .1 update I do have a few issues with a recording interface.  Fortunately Antelope audio fixed that in another week.  Now I saw this yesterday.  I must say, this feels very Microsoftish, very Windows-esque so far.  I sure hope that does not become the norm.  :(

 

BTW, turning off the guest account worked on my machine.  

And always keep in mind: Cognitive biases, like seeing optical illusions are a sign of a normally functioning brain. We all have them, it’s nothing to be ashamed about, but it is something that affects our objective evaluation of reality. 

Link to comment

This is one of the more stunning vulnerabilities I've ever seen (and I've been working around Mac security for more than 15 years). In addition, the way this was made pubic is just stupid; the guy who discovered this is a developer, and should have reported it privately to Apple. He put a lot of people at risk, and it will take several days for Apple to push out an update for this bug, because they need to test it to make sure it doesn't break anything. 

I write about Macs, music, and more at Kirkville.

Author of Take Control of macOS Media Apps

Co-host of The Next Track podcast.

Link to comment

My Macs are set to display a list of users at login.  When the computer is locked I see no way to log in as root.  Am I missing something, is there some key combination that allows the user to still be specified?

 

My machines are always locked when I walk away.  I'm not as concerned about the elevated privileges login prompt after unlock.

Roon Rock->Auralic Aria G2->Schiit Yggdrasil A2->McIntosh C47->McIntosh MC301 Monos->Wilson Audio Sabrinas

Link to comment
8 hours ago, Ralf11 said:

lack of testing before they rushed this downgrade out the door

 

I'm one of the beta testers.  I didn't catch it.

 

By default, root on OS X is disabled, and those who need to do Rooty things have sudo

 

Since I never enabled root (no need, security vulnerability), I never would have thought to test this.

 

The thing is someone presumably built this into the code, because the vulnerability didn't previously exist in earlier OS X versions.

 

I've been using OSX since 10.0.0.3.  Before that, I used operating systems like SGI Irix.  This was a major improvement.  (So was Linux.). As far as I can remember, everything worked extremely well until we got to OS X version 10.7, which was in essence Apple's Vista.

 

Also, I think the number of hardware problems really increased after they switched over to intel processors.

Link to comment
2 hours ago, Dr Tone said:

My Macs are set to display a list of users at login.  When the computer is locked I see no way to log in as root.  Am I missing something, is there some key combination that allows the user to still be specified?

 

My machines are always locked when I walk away.  I'm not as concerned about the elevated privileges login prompt after unlock.

 

In that list of users, click "Other"

 

Then for user, enter "root"

 

For password, just hit the return key.  (You might have to do this a few times.)

 

If you have remote display enabled, post your IP address, and I can probably log into root remotely.

 

(Fortunately, ssh has the root account disabled by default, but if anyone got into any other account via ssh, then "su root" would get them full access.)

 

Link to comment
5 hours ago, kirkmc said:

This is one of the more stunning vulnerabilities I've ever seen (and I've been working around Mac security for more than 15 years). In addition, the way this was made pubic is just stupid; the guy who discovered this is a developer, and should have reported it privately to Apple. He put a lot of people at risk, and it will take several days for Apple to push out an update for this bug, because they need to test it to make sure it doesn't break anything. 

 

Maybe he did, and they wouldn't listen (which seems to be official Apple policy now).  My guess is the folks who gave us Brexit and Dotard already knew.

Link to comment
5 minutes ago, wgscott said:

In that list of users, click "Other"

 

There is no list just my one and only log in waiting for password.  No way to choose another user at all that I can see.

 

I don't have guest enabled which might be the difference?

Roon Rock->Auralic Aria G2->Schiit Yggdrasil A2->McIntosh C47->McIntosh MC301 Monos->Wilson Audio Sabrinas

Link to comment
4 minutes ago, Dr Tone said:

 

There is no list just my one and only log in waiting for password.  No way to choose another user at all that I can see.

 

If you want to test it to see if you have the problem, go to System Preferences > Users and Groups, and then to Login Options.  Set it to display name and password:

 

 

Screen Shot 2017-11-29 at 8.05.57 AM.png

Link to comment

Then log out, and try to log in as root with no password.

 

On my iMac (a fresh install, FWIW), it created a root account and then logged me in, doing the stuff it does when you create a new user account, except this one is fully unprotected root.  (When I open a terminal window in that account, I get the root shell, for example, with no additional password protection).

 

If you got in, then the best fix for now is to set a root password (pick anything hard).  Don't deactivate the root account, because the problem will just re-emerge upon a reboot.

Link to comment

Oh I trust the problem is there, I'm just trying to figure out how it affects me till it's fixed and it seems that it doesn't as long as I don't leave my computer unattended.

Roon Rock->Auralic Aria G2->Schiit Yggdrasil A2->McIntosh C47->McIntosh MC301 Monos->Wilson Audio Sabrinas

Link to comment
16 minutes ago, Dr Tone said:

Oh I trust the problem is there, I'm just trying to figure out how it affects me till it's fixed and it seems that it doesn't as long as I don't leave my computer unattended.

 

I suggest just doing the security update.

 

If you are at home or in a locked office behind a firewall (I am counting on that), or don't have ssh or remote screen sharing activated, you probably are ok, but the problem with this kind of exploit is that nefarious evildoers could easily prove my speculation wrong.  If someone does gain access, they could in principle create a back door (like a hidden admin user account or something that could give them future access).  The safest thing is to do a clean install.  I won't bother. (The one computer where this happened to me is one that I just wiped clean and that needs a new power supply or something, so I'll probably do a backup/restore from the last 10.12.X.).

 

I thought of another way you could test it -- just put "root" in the access window for anything that requires sys admin access, and nothing for the password.  You probably would have to do this twice.  But at this point, why bother?

Link to comment
4 minutes ago, wgscott said:

I suggest just doing the security update.

 

If you are at home or in a locked office behind a firewall (I am counting on that), or don't have ssh or remote screen sharing activated, you probably are ok, but the problem with this kind of exploit is that nefarious evildoers could easily prove my speculation wrong.

 

Yah did the updates a bit ago.  I do have screen sharing on at home but not through iCloud (Back to my Mac) or open router ports, a VPN connection is required to use it.

Roon Rock->Auralic Aria G2->Schiit Yggdrasil A2->McIntosh C47->McIntosh MC301 Monos->Wilson Audio Sabrinas

Link to comment
1 hour ago, Ralf11 said:

Do you know how long high sierra was in beta?

 

 

as for Intel CPUs, I hear rumors that will change...

 

I installed the first public beta around July.  They release to developers that make the $100 ransom payment first.

 

I shall look forward to the future incompatibility headaches.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...