Apple red-faced after major macOS bug found

By Dylan Bushell-Embling
Thursday, 30 November, 2017

Apple has released an update for a major and embarrassingly easy-to-exploit security flaw in its High Sierra operating system, the latest release of macOS, that allows anyone to gain root access to a system without entering a password.

The vulnerability involves gaining access to a Mac running the operating system by by entering the user name “root” and no password and hitting enter several times.

This vulnerability was first discovered by Turkish software engineer Lemi Orhan Ergin and has since been confirmed in multiple tests.

While the originally reported issue requires physical access to a MacOS system, Centrify’s director of product management warned in a blog post that the bug can also allow access through the login screen or screensaver lock screen for active directory joined Macs used in an enterprise.

“This is much more significant than the originally reported issue because it allows an admin to elevate privileges by unlocking system preferences,” he said.

“In addition, if a Mac user has ‘screen sharing’ enabled — perhaps from a previous IT support issue — the root login can be used to remotely view the user’s screen without them knowing, or login remotely.”

He pointed out that while Apple was quick to issue a fix for the vulnerability, it highlights a fundamental but ignored gap in enterprise security.

“For many companies, the practice of re-using the same local admin password for every endpoint, and rarely, if ever, changing it, continues to be common practice. If that password becomes exposed through phishing or credential theft then the attacker has unfettered access to every endpoint in the organisation,” he said.

“All local admin accounts — including the root account on Macs — should have unique passwords that are randomly created and regularly rotated.”

In an advisory, Apple attributed the vulnerability to a “logic error” that has been addressed with improved credential validation. A patch is being automatically pushed out to High Sierra users, who will have to re-enable the root user and change the root user password if they require root access.

Follow us and share on Twitter and Facebook