'

Apple scrambles to fix a major security issue on their High Sierra OS

Apple is currently working to fix this flaw

Apple scrambles to fix a major security issue on their High Sierra OS

Apple scrambles to fix a major security issue on their High Sierra OS

Yesterday, a major flaw in Apple's latest version of MacOS (High Sierra) became public knowledge which allows anyone to access notebooks without a password and attain administrator privileges. 

This flaw became known to the public after a Turkish developer called Lemi Ergin tweeted Apple regarding this issue, an issue which was discovered within his workplace the previous week. 

Accusations have been flying across the internet at Ergin due to his irresponsibility when disclosing this issue to Apple, though in a personal blog post this morning he stated that the flaw was already reported online in several locations, including Apple's Developer Forum on November 13th. His tweet was to ensure that Apple was aware of the issue, though sadly this tweet became highly publicised making both hackers and end users alike aware of the problem. 

Regardless of pre-existing knowledge of this issue online, Ergin should have contacted Apple privately before making the exploit public on Twitter. His actions have released potentially dangerous information to the public, though his mistake can be attributed to his lack of knowledge when it comes to computer security and proper procedures. 


A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleague get back into their local admin account. They noticed the issue and used the flaw to get the user’s account back. On Nov 23, they informed Apple about it. They also searched at internet and the saw the issue mentioned in a few places already, even in Apple Developer Forum on Nov 13. It seems the issue has already revealed, but probably Apple has not been noticed yet.
Yesterday they informed me about the problem in order to set the root password on my machine. I saw the security issue with my eyes, that was unbelievable!
Then I decided to inform Apple via Twitter. The issue was very serious. It has already been mentioned in forums and revealed in public few weeks ago. I thought I had to ask Apple “are you aware of it?”.

  
Users of MacOS devices do have an ability to secure their systems by merely setting a password for your device's "root" account. Right now, this is the only known fix for this issue before Apple officially patches their OS. Instruction on how to do this are available here

Apple scrambles to fix a major security issue on their High Sierra OS

 

This exploit is hugely embarrassing for Apple, who have long heralded their devices as being safer and more secure than Windows. The company has stated that they are currently working to fix this problem. 

You can join the discussion on Apple's major password bug on the OC3D Forums.  

«Prev 1 Next»

Most Recent Comments

29-11-2017, 08:10:13

GiantKiwi
And Apple's method of the "fix" doesn't work (ie through the GUI). Tried it on 3 separate machines at work this morning, and a system restart will reset the changes. Only way to guarantee it will retain the changes is to do:

cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpwQuote

29-11-2017, 08:13:17

AlienALX
So you need to reinstall it? FFS. I had this issue with Sierra, too ! I upgraded the laptop to Sierra, then every sodding time I rebooted it said "You have just updated your firmware". Only way to make it go away was a reinstall. I've only just installed HS FFS. This is not why I bought an Apple laptop ! I didn't want the headaches LOL.Quote

29-11-2017, 08:15:59

GiantKiwi
Quote:
Originally Posted by AlienALX View Post
So you need to reinstall it? FFS. I had this issue with Sierra, too ! I upgraded the laptop to Sierra, then every sodding time I rebooted it said "You have just updated your firmware". Only way to make it go away was a reinstall. I've only just installed HS FFS. This is not why I bought an Apple laptop ! I didn't want the headaches LOL.
I added some clarification to the end of my post, but clearly not quick enough - just run this in terminal:

cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 60 | xargs -I rootpw sudo dscl . -passwd /Users/root rootpw

As you should never actually need the root password, having it generate a random password won't be an issue. It's just one of the many quirks with macOS's GUI ACL, post Lion.Quote

29-11-2017, 08:42:02

AlienALX
I will be back on mine Friday. Thanks for posting that, will do it when I get to my mother's Quote

29-11-2017, 13:50:04

barnsley
Give root a password to temporarily stop the issue. Especially if you remote in to your Mac from home/work

In terminal type:
sudo passwd -u root



The patch is out btw. Not that half the Mac users in the world ever seem to update their devices. Although the same could be said for every OS..Quote
Reply
x

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.