Apple Issues Security Update for High Sierra Root User Bug

Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.

You can file this one under the ol’ “face palm – how the h3ll did this make it out to production?” category.

As a software development professional with over 25 years of experience, it really makes me wonder sometimes… It’s a question, that as a Quality Assurance professional, you never want to ask, or have someone ask YOU; but when the item in question is this blatant, you really can’t help it.

Recently, a bug in macOS 10.13 High Sierra was discovered that allowed anyone – literally, anyone – with physical access to your Mac to log in with root permissions, whether they had an account on the computer or not.

Root is a super user level of access. Someone with root or super user access can do anything and EVERYTHING to your Mac, despite any and ALL security settings you’ve made or apps you’ve installed. They can burn down your entire world with root access… and there isn’t anything on the computer that can stop them.

Now, there are a few things you should know about this.

1. As of this writing, this should no longer be an issue. Apple has released a security update, Security Update 2017-001, and it will update your High Sierra build number to 17B1002 after it installs.
2. As of this writing, the update will come down and install automatically. You won’t see an update notification or red bubble on the App Store indicating an update is available. It’s going to install automatically when you restart your Mac. Period. You don’t get a choice.

I wanted to get that in front of everyone before I relay the following comment – I’ve seen this defect in action, and it was totally devastating.

root_authorizing

In fact, it was a bit more than that. I’ve never seen such an easily exploitable, completely revealing security vulnerability like this… ever.

I have access to Mac with a standard (non-admin) account. I don’t know the admin password on this box, so I couldn’t cheat on it at all. With the above vulnerability active on that Mac, I was able to bypass the administrator’s credentials and make changes to my standard account as if I were an admin, and I didn’t even need a password.

As I understand it, there wasn’t a secret account or other access point on your computer. When users tried to log in as root, without a password, High Sierra wouldn’t let you in. The bug, however, occurred when you retried logging in as root without a password. It somehow burned the account in, without a password, after multiple tries. At that point, you had access to absolutely everything on the computer. When macOS again prompted you for any kind of admin permissions, simply entering in, “root” as the user name without a password again, got you authenticated.

As I mentioned, this was probably the easiest “hack” I’ve ever done. You didn’t need any coding or any kind of technical knowledge. All you needed was physical access to the computer and the ability to spell the word, “root.”

Thankfully, the hole has been patched; and it was patched, as I mentioned, via a silent, forced update, that, to my understanding, Apple has only used one time before. You didn’t get the opportunity to decline this update, and Apple applied it to your system without asking for permission or requesting a restart of your machine, or your knowledge, really. It simply got installed and then silently applied when you either rebooted or turned your Mac on.

The only evidence that something had happened was a notification bubble that showed up a day or so later letting you know that the update had been installed.

root_security_updated

To be honest, I wasn’t happy with the news that this vulnerability was published, and I wasn’t happy with the way it was resolved, either. I wouldn’t have been upset with a “required” update that would have been installed without me getting a say in its installation IF Apple had told me that it was installing it. I don’t like the fact that Apple can just push an update to my PC and I can’t prevent it from installing, or even know that it was installed until AFTER it was installed.

That’s just as bad as the vulnerability existing in the first place.

In the future, I really wish Apple would be a bit more sensitive in situations like this. I *DO* understand why they did what they did. This was a serious bug that had to be resolved for everyone running High Sierra. However, I don’t like it when vendors force me to take an update and don’t tell me that it’s going to install or give me an option to postpone the update. People have been screaming about situations like that on the Windows side of the world since Windows 10 was released a few years ago. Just because Microsoft does it, doesn’t make it ok.

Did you happen to see this bug in action? Did you happen to play with it at all prior to Apple plugging the hole? Did the update reveal itself to you via the App Store, or did you get the silent version of the update shoved at you like most of the world did?

Why don’t you meet me in the Discussion Area below, and give me your thoughts on the whole thing?

Related Posts:

RAD Software Development – For when Management Wants it Bad

2013-02-14-13.06.17In an age where convenience and instant gratification are easy to come by, taking time to do things the right way often gets glossed over…and causes a lot of problems

I am a software QA professional. That means that I test software for a living and manage teams to do the same thing. I’m good at it; and one of the things that I’m really beginning to hate about some of the faster paced, quick turnaround software development and releases processes is that time for testing is either greatly reduced or bypassed entirely.

I’ve learned that when management wants it bad, they can usually count on those fast passed processes to deliver just that – bad, buggy software.

Here’s a very clear case in point – today The Verge reported that it had found a bug in iOS 6.1 that allowed anyone to bypass the iOS lock screen and view and modify contacts, listen to your voicemail, and browse your photos (by attempting to add a photo to the accessible contact list). It doesn’t appear as if the exploit grants access to email or the web.

The new exploit is similar to one that was discovered in iOS 4.1 that allowed access to contacts, call history and voicemail on a passcode-locked handset without knowing the numeric entry code required to formally unlock the phone. While the steps seem to be bit unusual and convoluted – a user needs to make and then immediately cancel an emergency call and then hold down the power button a couple of times – its bugs like this that completely destroy any confidence a smartphone dependent public has in a venerated company like Apple.

It also really chaps my hide.

Testing is something that many companies either bypass or greatly reduce time and resources on, as its seen as a road block to release. In fact, many modern day methodologies don’t carry a lot of support for the different types of needed testing.

System testing, or testing the entire (and just the) application as a whole, is usually supported. Integration testing, or testing the interaction of the application with other apps and systems, usually gets bypassed. Regression testing, or the reexecution of previously completed system and integration testing tests, rarely ever gets done.

…and case in point. The bug that’s referenced here seems to be some type or classification of regression bug that should have been squashed over two FULL versions ago. The fact that it’s come back, isn’t cool; and is something that Apple needs to deal with quickly.

I’ll be watching beta releases of iOS in the near future and if I find out anything interesting, I’ll pass it on.

Related Posts:

Keep your computer safe from malware with Anvi Smart Defender

Keeping your PC safe while you run around the internet can be a full time job. It’s very easy to click here, there and everywhere and come away with some kind of ugly bug. It’s all too easy to have your personal information and even your identity stolen right out from under you. That’s why I like having applications like Anvi Smart Defender available to me. It’s a malware security package for Windows.

Anvi Smart Defender delivers powerful protection against malware – viruses, Trojans, adware, spyware, bots and other threats. With its Smart-Engine, it scans and detects threats on your PC quickly. It has a system optimization function that speeds up your PC; and provides a cloud scan feature that protects your PC more effectively while working with items stored remotely.

Anvi Smart Defender’s smart, active scanning engine is made up of Guards. Its Privacy Guard, Startup Guard, Process Guard, Behavior Guard, and Files Guard stop and block malware by actively monitoring your system and alerting you when it detects a threat. It will not interfere with active tasks and activities when it is scanning. It runs silently in the background. Whether you are surfing, shopping, charting, socializing, sharing or banking, Anvi Smart Defender’s guards protect your PC from malware more efficiently than other, traditional security software.

If you do bump into a file that’s infected with suspected malware, Anvi Smart Defender gives your PC Cloud-based malware identification. You can upload the suspicious file and get a cloud-security report.   Anvi Smart Defender discovers the newest threats first.

Anvi Smart Defender also helps protect your PC by providing traditional PC utilities to help keep it running efficiently. This way if something goes wrong, you know it must be malware related. Anvi Smart Defender includes System Optimize, Registry Fix, Privacy Cleaner, Memory Sweep, and Disk Defragment.

read full review | download Anvi Smart Defender

Related Posts:

Zemana AntiMalware

You’ll hear me say it over and over again – you simply can’t run a computer now-a-days without some kind of antivirus or security software running in the background.  You’re just asking for problems if you think you don’t need one…and if you get a virus, bug or worm, THEN what do you do??  This is why I’m thankful for applications like Zemana Anti-Malware. It’s a specialized malware scanner for Windows and it’s the kind that most people need.

Virus scanners are great a preventing infections, but on the off chance you do get one while you’ve got security software installed, then you have serious issues.  The bug is likely smarter than the software you have. It’s likely buried itself deeply within your operating system, and isn’t leaving without a fight. In many cases, the best thing you can do is to copy your data off (to an external drive, to the Cloud, etc.) and then blow your computer and rebuild it. It’s the safest and easiest way to insure you get rid of the infection.  It’s also hugely disruptive and a pain to do.

Zemana Anti-Malware is a second-tier malware scanner designed to rescue your computer from viruses, Trojans, rootkits, etc. that have infected your system despite all the security measures you have in place.  The best thing is that Zemana Anti-Malware can peacefully coexist with other security software on your computer. In the past, having multiple security programs installed on your PC often resulted in slow-downs, crashes, and, surprisingly, less security than running just the single security app.

read full review | download Zemana AntiMalware

Related Posts:

Ghostery tracks the trackers

It’s hard not to believe that major web-sites don’t record somehow your online behavior. Tags, web bugs, pixels and beacons are just a few methods used by online companies to get additional info from each new visitor. But Evidon, a team o developers, released an add-on browser that can give you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.

Over 200 online behavioral companies have an official profile that is saved in Ghostery’s database that will help you learn more about their technology, their business, and their privacy policies. In this way you can learn additional info about the companies trading your online behavioral data. The more info you get, the better you can make decisions about how to control your exposure to those companies.

Ghostery allows zero-tolerance blocking of anything ad related, complete (visible) open communication with ad companies, or countless measures in between – determined by you, the informed web user.

Ghostery is available for all major browsers including IE, Firefox, Chrome, Safari. When you decide to download it, you just have to use the right browser and choose the corespondent version.

download Ghostery

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox

Find us on Facebook