Post #421,479
11/28/17 11:17:01 PM
11/28/17 11:17:01 PM
|
macOS High Sierra root password is blank.
BBC: [...]
The bug was discovered by Turkish developer Lemi Ergin.
He found that by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine.
Mr Ergin faced criticism for apparently not following responsible disclosure guidelines typically observed by security professionals.
Those guidelines instruct security experts to notify companies of flaws in their products, giving them a reasonable amount of time to fix the flaw before going public.
Mr Ergin did not respond to those claims when asked on Twitter, and the BBC was unable to reach him on Tuesday.
Apple would not confirm or deny whether it knew about the flaw beforehand.
The exploit
Considering the power it gives, the bug is remarkably simple, described by security experts as a "howler" and "embarrassing".
The flaw affects Apple's newest Mac operating system
Those with root access can do more than a normal user, such as read and write the files of other accounts on the same machine. A superuser could also delete crucial system files, rendering the computer useless - or install malware that typical security software would find hard to detect.
Thankfully, the bug cannot be exploited remotely, meaning an attacker would have to have physical access to a computer. That said, someone who gained remote access through other means would be able to use the flaw to control the machine it had access to.
The timing of the disclosure presents a major issue to Apple as it now must hurriedly put in place a fix before the vulnerability can be exploited by criminals.
[...] Ooops. :-/ Cheers, Scott.
|
Post #421,483
11/29/17 10:49:12 AM
11/29/17 11:59:24 AM
|
Your subject is incorrect(ish)
The problem is not that the password is blank. By default, MacOS ships with the root account disabled. This is right and proper. The password is blank. This is also right and proper. The problem is that attempting to log in as root enables the root account and then lets you in with the blank password. That is not right and proper. It's a complete and utter fuck-up, and indicates that Apple have learnt little about testing software since the humiliation of the GotoFail bug. ETA: The people whining about "responsible disclosure" can go fuck themselves too, because this exact thing was posted on Apple's own support forums as a method of recovering from a lost password: https://forums.developer.apple.com/thread/79235#277225EETTAA: PSA: This is effectively a remote root exploit which doesn't need a password. You can mitigate the risk by manually enabling the root account and then setting a strong password. EEETTTAAA: Contrary to the BBC story's assertion that it's not remotely exploitable, there are reports of this working remotely including via SSH.
Edited by pwhysall
Nov. 29, 2017, 10:52:29 AM EST
Edited by pwhysall
Nov. 29, 2017, 10:55:45 AM EST
Edited by pwhysall
Nov. 29, 2017, 11:59:23 AM EST
|
Post #421,491
11/29/17 1:05:07 PM
11/29/17 1:05:07 PM
|
Thanks.
Interesting thread, also too.
We haven't updated our Macs at home to High Sierra yet. Will have to think on this...
Cheers,
Scott.
|
Post #421,492
11/29/17 1:35:12 PM
11/29/17 1:35:12 PM
|
FWIW the fix is already out.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #421,497
11/29/17 3:53:36 PM
11/29/17 3:53:36 PM
|
And installed on my MacBook! :)
Apple is getting terribly sloppy. Alex
"There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."
-- Isaac Asimov
|
Post #421,505
11/29/17 7:06:45 PM
11/29/17 7:06:45 PM
|
It goes beyond the root account
|
Post #421,506
11/29/17 7:35:42 PM
11/29/17 7:35:42 PM
|
Thanks for the pointer.
I used to read TheReg every day, now I rarely do. Too little time, too many other distractions...
Cheers,
Scott.
|
Post #421,514
11/30/17 2:27:41 AM
11/30/17 2:27:41 AM
|
You're not missing much
It's a crappy link aggregator much of the time, with the odd shouty rant.
Not a shadow of its former self, sadly.
|
Post #421,518
11/30/17 8:35:09 AM
11/30/17 8:35:09 AM
|
Only thing I still read is BOFH
|
Post #421,525
11/30/17 7:38:05 PM
11/30/17 7:38:05 PM
|
And the BOFH kind of lost its way years ago and never really recovered. :-/
|
Post #421,531
12/1/17 10:17:24 AM
12/1/17 5:49:36 PM
|
Not what it used to be
The body count is getting a bit past satire at this point.
Edited by drook
Dec. 1, 2017, 05:49:36 PM EST
|
Post #421,543
12/2/17 2:16:57 AM
12/2/17 2:16:57 AM
|
The BOFH and the PFY come across as just mean, now.
|
Post #421,512
11/30/17 12:15:30 AM
11/30/17 12:15:30 AM
|
When Convenience overwhelms Security.
I recall Microsoft used to have this problem.
Wade.
|
Post #421,513
11/30/17 2:26:56 AM
11/30/17 4:00:09 AM
|
There is something wrong at Apple
...with specific respect to testing. The GotoFail bug from 2014 was pretty egregious - all sorts of non-controversial methods could and should have caught it (checking for repeated lines of code, which should be inspected; checking for unreachable code; actually fucking testing that an invalid certificate didn't fucking work, etc.) and the speed with which Apple has turned round the fix would indicate that this is similarly sloppy and easily fixed. There was the APFS password hint bug. https://hackernoon.com/new-macos-high-sierra-vulnerability-exposes-the-password-of-an-encrypted-apfs-container-b4f2f5326e79 There was the keychain bug. http://mashable.com/2017/09/26/apple-mac-os-high-sierra-password-exploit/?utm_cid=a-seealsoNot to mention a raft of less critical but still annoying bugs - the random restart/freeze bug would not generate good cheer, for example. (I found an interesting analysis of the APFS password hint bug, and I'll update this post when I find it again. tl;dr: it's just as idiotic as the GotoFail bug - ETA link https://objective-see.com/blog/blog_0x23.html - it's another copy/paste error) Apple is an organisation with no excuses - it has the resources and the talent to do this properly. This is a question of management priorities. Whatever Apple says about its commitment to security is irrelevant; the facts are there for all to see.
Edited by pwhysall
Nov. 30, 2017, 04:00:09 AM EST
|
Post #421,515
11/30/17 5:31:41 AM
11/30/17 5:31:41 AM
|
And they broke the fix
There are unconfirmed reports that the patch breaks certain configurations of SMB file sharing: https://arstechnica.com/civis/viewtopic.php?p=34406677#p34406677This security update breaks SMB file sharing if you don't have the "Less secure" password setting turned on. If you don't have that setting turned on and try to connect to a patched Mac, your password will not be accepted. Quality work, Apple.
|
Post #421,516
11/30/17 7:39:57 AM
11/30/17 7:39:57 AM
|
It's been that way for a long time.
A friend bought a 1U MacOS Server machine for work. It was nice, but the fans were very loud. He said all kinds of simple yet important things related to account permissions, IIRC, would break whenever he updated the OS. It was as if they had done no testing at all before rolling it out.
As you say, they've got no excuse. But it shows that they continue to not really care about macOS.
Cheers,
Scott.
|
