Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.
You can file this one under the ol’ “face palm – how the h3ll did this make it out to production?” category.
As a software development professional with over 25 years of experience, it really makes me wonder sometimes… It’s a question, that as a Quality Assurance professional, you never want to ask, or have someone ask YOU; but when the item in question is this blatant, you really can’t help it.
Recently, a bug in macOS 10.13 High Sierra was discovered that allowed anyone – literally, anyone – with physical access to your Mac to log in with root permissions, whether they had an account on the computer or not.
Root is a super user level of access. Someone with root or super user access can do anything and EVERYTHING to your Mac, despite any and ALL security settings you’ve made or apps you’ve installed. They can burn down your entire world with root access… and there isn’t anything on the computer that can stop them.
Now, there are a few things you should know about this.
1. As of this writing, this should no longer be an issue. Apple has released a security update, Security Update 2017-001, and it will update your High Sierra build number to 17B1002 after it installs.
2. As of this writing, the update will come down and install automatically. You won’t see an update notification or red bubble on the App Store indicating an update is available. It’s going to install automatically when you restart your Mac. Period. You don’t get a choice.
I wanted to get that in front of everyone before I relay the following comment – I’ve seen this defect in action, and it was totally devastating.
In fact, it was a bit more than that. I’ve never seen such an easily exploitable, completely revealing security vulnerability like this… ever.
I have access to Mac with a standard (non-admin) account. I don’t know the admin password on this box, so I couldn’t cheat on it at all. With the above vulnerability active on that Mac, I was able to bypass the administrator’s credentials and make changes to my standard account as if I were an admin, and I didn’t even need a password.
As I understand it, there wasn’t a secret account or other access point on your computer. When users tried to log in as root, without a password, High Sierra wouldn’t let you in. The bug, however, occurred when you retried logging in as root without a password. It somehow burned the account in, without a password, after multiple tries. At that point, you had access to absolutely everything on the computer. When macOS again prompted you for any kind of admin permissions, simply entering in, “root” as the user name without a password again, got you authenticated.
As I mentioned, this was probably the easiest “hack” I’ve ever done. You didn’t need any coding or any kind of technical knowledge. All you needed was physical access to the computer and the ability to spell the word, “root.”
Thankfully, the hole has been patched; and it was patched, as I mentioned, via a silent, forced update, that, to my understanding, Apple has only used one time before. You didn’t get the opportunity to decline this update, and Apple applied it to your system without asking for permission or requesting a restart of your machine, or your knowledge, really. It simply got installed and then silently applied when you either rebooted or turned your Mac on.
The only evidence that something had happened was a notification bubble that showed up a day or so later letting you know that the update had been installed.
To be honest, I wasn’t happy with the news that this vulnerability was published, and I wasn’t happy with the way it was resolved, either. I wouldn’t have been upset with a “required” update that would have been installed without me getting a say in its installation IF Apple had told me that it was installing it. I don’t like the fact that Apple can just push an update to my PC and I can’t prevent it from installing, or even know that it was installed until AFTER it was installed.
That’s just as bad as the vulnerability existing in the first place.
In the future, I really wish Apple would be a bit more sensitive in situations like this. I *DO* understand why they did what they did. This was a serious bug that had to be resolved for everyone running High Sierra. However, I don’t like it when vendors force me to take an update and don’t tell me that it’s going to install or give me an option to postpone the update. People have been screaming about situations like that on the Windows side of the world since Windows 10 was released a few years ago. Just because Microsoft does it, doesn’t make it ok.
Did you happen to see this bug in action? Did you happen to play with it at all prior to Apple plugging the hole? Did the update reveal itself to you via the App Store, or did you get the silent version of the update shoved at you like most of the world did?
Why don’t you meet me in the Discussion Area below, and give me your thoughts on the whole thing?
The post Apple Issues Security Update for High Sierra Root User Bug appeared first on Soft32 Blog.