- Joined
- Dec 20, 2006
- Messages
- 27,042
- Reaction score
- 812
- Points
- 113
- Location
- Lake Mary, Florida
- Your Mac's Specs
- 14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Agreed. I am still in stunned disbelief.
macOS High Sierra bug allows Admin access without password
- Thread starter Raz0rEdge
- Start date
Agreed. I am still in stunned disbelief.
- Joined
- Sep 30, 2007
- Messages
- 9,962
- Reaction score
- 1,235
- Points
- 113
- Location
- The Republic of Neptune
- Your Mac's Specs
- 2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Ah nuts. I checked but completely overlooked this sub-forum. I thought it was odd that no one else had seen and reported it yet. #facepalm
- Joined
- Sep 30, 2007
- Messages
- 9,962
- Reaction score
- 1,235
- Points
- 113
- Location
- The Republic of Neptune
- Your Mac's Specs
- 2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
From what I've read, you are re-enabling the flaw by disabling root, even after changing the password.
- Joined
- Dec 20, 2006
- Messages
- 27,042
- Reaction score
- 812
- Points
- 113
- Location
- Lake Mary, Florida
- Your Mac's Specs
- 14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Seriously... wow. How has Apple not patched this thing yet??!?
- Joined
- Sep 30, 2007
- Messages
- 9,962
- Reaction score
- 1,235
- Points
- 113
- Location
- The Republic of Neptune
- Your Mac's Specs
- 2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
It gets better. If you read through the comments for the Ars Technica article I linked to, someone casually posted a comment in Apple's developer forums 2 weeks ago using this bug as a solution to login issues. So it wasn't suddenly discovered yesterday.... it's been known for who knows how long.
https://forums.developer.apple.com/thread/79235#277225
Apple has issued a security update today to patch this.
https://arstechnica.com/gadgets/2017/11/new-security-update-fixes-macos-root-bug/
- Joined
- Dec 20, 2006
- Messages
- 27,042
- Reaction score
- 812
- Points
- 113
- Location
- Lake Mary, Florida
- Your Mac's Specs
- 14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Unbelievable! I mean, this is just inexcusable -- can you imagine the fallout if Microsoft left such a severe security hole unpatched for nearly 24 hours (since it was very publicly announced)?
Thanks for that.... I've been scanning my updates periodically, just grabbed it now. But really, if heads aren't rolling at Apple, they should be. This is one of the largest technology companies in the world, I can't understand how this even happens.
- Joined
- Jan 1, 2014
- Messages
- 629
- Reaction score
- 52
- Points
- 28
- Your Mac's Specs
- MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
I've just installed the patch and tested it...
The patch does disable the root account, mine was enabled with password, and blank PWD does not work. Well, at least not after five tries. Yes, my honey-moon with macOS is over by now...
The patch does disable the root account, mine was enabled with password, and blank PWD does not work. Well, at least not after five tries. Yes, my honey-moon with macOS is over by now...
- Joined
- Oct 16, 2010
- Messages
- 17,541
- Reaction score
- 1,576
- Points
- 113
- Location
- Brentwood Bay, BC, Canada
- Your Mac's Specs
- 2011 27" iMac, 1TB(partitioned) SSD, 20GB, OS X 10.11.6 El Capitan
Hmmm… typical erroneous Kim Komando type statement at the time with a posted subject showing "..-flaw-is-fixed" in the link.
But apparently has been now with a recent Apple Update update.
Opps, sorry Ashwin, I missed your earlier post somehow…
- Patrick
======
- Joined
- Oct 16, 2010
- Messages
- 17,541
- Reaction score
- 1,576
- Points
- 113
- Location
- Brentwood Bay, BC, Canada
- Your Mac's Specs
- 2011 27" iMac, 1TB(partitioned) SSD, 20GB, OS X 10.11.6 El Capitan
I've just installed the patch and tested it...
The patch does disable the root account, mine was enabled with password, and blank PWD does not work. Well, at least not after five tries. Yes, my honey-moon with macOS is over by now…
Mmmm…??? And to think I've been running my Macs for well over ten years without a username password.
It's actually quite nice not being nagged all the time but I do have to hit a keyboard key when asked.
But not quite the same only using the Macs in a private household with only my wife as company compared to other situations.
- Patrick
======
- Joined
- Jan 1, 2014
- Messages
- 629
- Reaction score
- 52
- Points
- 28
- Your Mac's Specs
- MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
I've only got a MacBook for supporting my clients, who have Mac and/or MacBook. Since my wife uses it for business purposes only by now, it is kept up to date and I can also learn things.Also dumped my Windows smartphone since despite the fact that I offered no support for iPhones, my clients kept asking me for helping them with the iPhones and pretty much had no choice. I missed my Windows 8.1 smartphone....Mmmm…??? And to think I've been running my Macs for well over ten years without a username password.
It's actually quite nice not being nagged all the time but I do have to hit a keyboard key when asked.
But not quite the same only using the Macs in a private household with only my wife as company compared to other situations.
- Patrick
======
Here's a detailed look at the background for this bug, very detailed and easy to read:
https://objective-see.com/blog/blog_0x24.html
Coming from the Windows world, I didn't anticipate that macOS will start to look a lot like Windows. It's a harsh sentence and probably over the board, but I think that Apple should listen...
- Joined
- Dec 20, 2006
- Messages
- 27,042
- Reaction score
- 812
- Points
- 113
- Location
- Lake Mary, Florida
- Your Mac's Specs
- 14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
It's one thing to have no password on your account, it's another to allow a low-level system account that has completely unfettered access to go without a password. I believe OS X will still prompt you for administrator credentials even with no password.... but root is another story. As I said before, one doesn't need physical access to exploit a security flaw like that. All I have to do is get you to double-click on something as simple as a script that installs a service that runs as root. Then, I have a backdoor into your machine and I can make it do my bidding. Or, I can simply peruse your machine remotely to find files that I deem of value for any number of nefarious purposes.
Disabling root and setting a password is security for *nix 101. I can't even remember the last Linux distro I saw with a root account that allowed interactive sessions, it's probably been close to 20 years.
Disabling root and setting a password is security for *nix 101. I can't even remember the last Linux distro I saw with a root account that allowed interactive sessions, it's probably been close to 20 years.
- Joined
- Jan 4, 2005
- Messages
- 30,133
- Reaction score
- 703
- Points
- 113
- Location
- Modesto, Ca.
- Your Mac's Specs
- MacMini M-1 MacOS Monterey, iMac 2010 27"Quad I7 , MBPLate2011, iPad Pro10.5", iPhoneSE
I still can not understand why my iMac would not log me into root like that but who knows. It's obvious there was a fault and for many it did work. A patch did show up for it in software update on the imac and it's installed.
Also thank you Cr00zng for posting that URL. That showed exactly what it did and how it got in. Excellent info.
Also thank you Cr00zng for posting that URL. That showed exactly what it did and how it got in. Excellent info.
- Joined
- Jun 12, 2011
- Messages
- 9,697
- Reaction score
- 1,885
- Points
- 113
- Location
- Melbourne, Australia and Ubud, Bali, Indonesia
- Your Mac's Specs
- 2021 M1 MacBook Pro 14" macOS 14.4.1, Mid 2010MacBook 13" iPhone 13 Pro max, iPad 6, Apple Watch SE.
There you go Dennis, tha advantages and disadvantages of not upgrading but I guess you've gone as far as you can. This morning i read an artical on iMore that states that the patch released by Apple for this "root" threat may have caused file sharing issues for some and they have published a fix for this. http://rss.tapatalk.com/aHR0cHM6Ly9...vbmVCbG9n/?p=004d2ec0fcec374c9d6499d9463b2733
- Joined
- Jun 12, 2011
- Messages
- 9,697
- Reaction score
- 1,885
- Points
- 113
- Location
- Melbourne, Australia and Ubud, Bali, Indonesia
- Your Mac's Specs
- 2021 M1 MacBook Pro 14" macOS 14.4.1, Mid 2010MacBook 13" iPhone 13 Pro max, iPad 6, Apple Watch SE.
P.S. I didn't even know Apple had released a patch, shows how far behind I am.
- Joined
- Dec 20, 2006
- Messages
- 27,042
- Reaction score
- 812
- Points
- 113
- Location
- Lake Mary, Florida
- Your Mac's Specs
- 14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
- Joined
- Sep 30, 2007
- Messages
- 9,962
- Reaction score
- 1,235
- Points
- 113
- Location
- The Republic of Neptune
- Your Mac's Specs
- 2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
I think I just heard an echo
It gets better. I installed the update immediately when I saw it yesterday. This morning, I saw the update was posted AGAIN! I now have "Security Update 2007-001" installed twice. Because this bug is so severe, that patching it twice is the only way to be sure?
- Joined
- Oct 16, 2010
- Messages
- 17,541
- Reaction score
- 1,576
- Points
- 113
- Location
- Brentwood Bay, BC, Canada
- Your Mac's Specs
- 2011 27" iMac, 1TB(partitioned) SSD, 20GB, OS X 10.11.6 El Capitan
Or maybe you get one for each of the bugs???
One for the "root login" vulnerability and one to fix the possible "sharing" goof up???
- Patrick
======
Shop Amazon
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.