Apple Issues Security Update for High Sierra Root User Bug

Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.

You can file this one under the ol’ “face palm – how the h3ll did this make it out to production?” category.

As a software development professional with over 25 years of experience, it really makes me wonder sometimes… It’s a question, that as a Quality Assurance professional, you never want to ask, or have someone ask YOU; but when the item in question is this blatant, you really can’t help it.

Recently, a bug in macOS 10.13 High Sierra was discovered that allowed anyone – literally, anyone – with physical access to your Mac to log in with root permissions, whether they had an account on the computer or not.

Root is a super user level of access. Someone with root or super user access can do anything and EVERYTHING to your Mac, despite any and ALL security settings you’ve made or apps you’ve installed. They can burn down your entire world with root access… and there isn’t anything on the computer that can stop them.

Now, there are a few things you should know about this.

1. As of this writing, this should no longer be an issue. Apple has released a security update, Security Update 2017-001, and it will update your High Sierra build number to 17B1002 after it installs.
2. As of this writing, the update will come down and install automatically. You won’t see an update notification or red bubble on the App Store indicating an update is available. It’s going to install automatically when you restart your Mac. Period. You don’t get a choice.

I wanted to get that in front of everyone before I relay the following comment – I’ve seen this defect in action, and it was totally devastating.

root_authorizing

In fact, it was a bit more than that. I’ve never seen such an easily exploitable, completely revealing security vulnerability like this… ever.

I have access to Mac with a standard (non-admin) account. I don’t know the admin password on this box, so I couldn’t cheat on it at all. With the above vulnerability active on that Mac, I was able to bypass the administrator’s credentials and make changes to my standard account as if I were an admin, and I didn’t even need a password.

As I understand it, there wasn’t a secret account or other access point on your computer. When users tried to log in as root, without a password, High Sierra wouldn’t let you in. The bug, however, occurred when you retried logging in as root without a password. It somehow burned the account in, without a password, after multiple tries. At that point, you had access to absolutely everything on the computer. When macOS again prompted you for any kind of admin permissions, simply entering in, “root” as the user name without a password again, got you authenticated.

As I mentioned, this was probably the easiest “hack” I’ve ever done. You didn’t need any coding or any kind of technical knowledge. All you needed was physical access to the computer and the ability to spell the word, “root.”

Thankfully, the hole has been patched; and it was patched, as I mentioned, via a silent, forced update, that, to my understanding, Apple has only used one time before. You didn’t get the opportunity to decline this update, and Apple applied it to your system without asking for permission or requesting a restart of your machine, or your knowledge, really. It simply got installed and then silently applied when you either rebooted or turned your Mac on.

The only evidence that something had happened was a notification bubble that showed up a day or so later letting you know that the update had been installed.

root_security_updated

To be honest, I wasn’t happy with the news that this vulnerability was published, and I wasn’t happy with the way it was resolved, either. I wouldn’t have been upset with a “required” update that would have been installed without me getting a say in its installation IF Apple had told me that it was installing it. I don’t like the fact that Apple can just push an update to my PC and I can’t prevent it from installing, or even know that it was installed until AFTER it was installed.

That’s just as bad as the vulnerability existing in the first place.

In the future, I really wish Apple would be a bit more sensitive in situations like this. I *DO* understand why they did what they did. This was a serious bug that had to be resolved for everyone running High Sierra. However, I don’t like it when vendors force me to take an update and don’t tell me that it’s going to install or give me an option to postpone the update. People have been screaming about situations like that on the Windows side of the world since Windows 10 was released a few years ago. Just because Microsoft does it, doesn’t make it ok.

Did you happen to see this bug in action? Did you happen to play with it at all prior to Apple plugging the hole? Did the update reveal itself to you via the App Store, or did you get the silent version of the update shoved at you like most of the world did?

Why don’t you meet me in the Discussion Area below, and give me your thoughts on the whole thing?

Related Posts:

New Apple Operating System Updates Released

Apple released new versions of macOS, iOS, watchOS and tvOS on 2017-03-27.

Apple released updates to three of its operating systems on Monday 2017-03-27. Apple released macOS 10.12.4, iOS 10.3, watchOS 3.2 and tvOS 10.2. Each OS brings something new to the game.

macOS 10.12.4
This new OS version brings a great deal of new stuff. Aside from the “improved stability, compatibility and security stuff, you also get the following:

  • Night Shift, which shifts the color pallet on your monitor to the warmer send of the spectrum after sunset in an effort to reduce blue light emissions, which tend to have an effect on the ability to fall asleep and sleep quality
  • Siri support for cricket scores and stats for Indian Premier league and International Cricket Council leagues
  • Resolution of several PDF rendering and annotation issues in Preview
  • Improvement of visibility of the subject line when using Conversation View in Mail
  • Fixes for an issue that may prevent content from appearing in Mail messages
  • Other minor enhancements and fixes

Night Shift is the big thing here. This is SUPPOSED to be easier on the eyes and is supposed to make it easier to fall asleep and stay asleep if you compute later in the day, into the evening. The pallet on your monitor will actually warm (whites will appear more yellow…). This option is available via the Settings app, under Displays.

iOS 10.3
The latest version of iOS brings a number of new features to the iPhone. The most notable and most important is APFS or Apple File System. HSF+ is dead. Apple is converting all of its operating systems to support the new file system, starting first with its smaller devices before moving on to the desktop.

APFS is said to provide up to an additional 7.8GB of available space on 128GB to 256GB iPhones. Part of the upgrade to iOS 10.3 will convert all of your storage to support APFS, and as a result, depending on the amount and type of content you have on your device, this conversion may take a while. If the upgrade looks like its bombed out and stalled, don’t do anything. Leave your device alone. Let the conversion take its course and finish. Even though the device might not look like its doing anything, leave it alone as its likely converting your storage and copying content back to the volume.

iOS 10.3 also includes the following updates

Find My iPhone

  • View the current or last known location of your AirPods
  • Play a sound on one or both AirPods to help you find them

Siri

  • Support for paying and checking status of bills with payment apps
  • Support for scheduling with ride booking apps
  • Support for checking car fuel level, lock status, turning on lights and activating horn with automaker apps
  • Cricket sports scores and statistics for Indian Premier League and International Cricket Council

CarPlay

  • Shortcuts in the status bar for easy access to last used apps
  • Apple Music Now Playing screen gives access to Up Next and the currently playing song’s album
  • Daily curated playlists and new music categories in Apple Music

Other improvements and fixes

  • Rent once and watch your iTunes movies across your devices. This coincides with the iTunes 12.6 update that was released a week or so ago
  • New Settings unified view for your Apple ID account information, settings and devices
  • Hourly weather in Maps using 3D Touch on the displayed current temperature
  • Support for searching “parked car” in Maps
  • Calendar adds the ability to delete an unwanted invite and report it as junk
  • Home app support to trigger scenes using accessories with switches and buttons
  • Home app support for accessory battery level status
  • Podcasts support for 3D Touch and Today widget to access recently updated shows
  • Podcast shows or episodes are shareable to Messages with full playback support
  • Fixes an issue that could prevent Maps from displaying your current location after resetting Location & Privacy
  • VoiceOver stability improvements for Phone, Safari and Mail

watchOS 3.2
watchOS 3.2 requires that your Apple Watch be connected to your iPhone. You can only update an Apple Watch that’s paired with an iPhone and is actually connected at the time that you wish to download the new OS. Your watch will also need to be connected to its charging cable with at least 50% charge.

There are a couple cool items of note here and not much else. watchOS 3.2 now supports SiriKit, which expands the voice commands for Apple’s Siri digital assistant. Siri now supports commands from 3rd party apps, letting users, for example, send a message or hail a ride sharing service.

watchOS 3.2 also includes Theatre Mode which silences all sounds and raise to wake, preventing your Apple Watch from becoming an audience distraction during a movie or play.

tvOS 10.2
The changes to tvOS are a little more demure than changes from other Apple OS’. In tvOS 10.2. Apple has accelerated in app scrolling, has enhanced support for the Device Enrollment Program and has provided for better mobile device management. It also offers an enhanced development tool in VideoToolbox, which is a framework for allowing apps to take advantage of hardware accelerated encoding and decoding.

Owners of a fourth generation AppleTV can get the update by opening Settings on their AppleTV and then selecting System, Software Updates, and then Update Software.

Related Posts:

Apple Seeds 5th Beta macOS Sierra 10.12.1

Developers and public beta testers got new bits to play with…

macOS Sierra is one of the biggest updates to Apple’s desktop operating system, likely since the implementation of OS X. Or at least, it will be once the (big) bugs are gone and the new Apple File System gets implemented.

macos sierra

On 2016-10-19, Apple seeded the fifth beta of macOS Sierra 10.12.11 to both developers and public beta testers. Developers can get it from the Apple Developer Center and both developers and public testers can get the bits through the Software Update mechanism in the Mac App Store.

Version 10.12.1 is a bug fix release that smooths out performance hiccups and addresses other issues that have been reported since the operating systems initial release just a short time ago. The release doesn’t provide much in the “new features” department, however. Though support for Apple’s iPhone 7/ 7 Plus’ Portrait Mode, being introduced with iOS 10.1, is included in the desktop OS’ Photos app.

Other than that, I wouldn’t expect too much more.

Apple recently announced a new media event scheduled to take place on 2016-10-27 where it is expected it will introduce a number of new Macs and MacBook Pros to the market. That’s just eight (8) days away from the time of this writing. I would expect both iOS 10.1 and macOS 10.12.1 to be released to the public by that time. It makes sense to have the new OS version hit the streets the same day as the new computers that will run it. So if you’re a Mac, get ready for a new computer, or at least get ready for the upgrade dance again.

I haven’t upgraded my top of the line, 15″ Late 2013 MacBook Pro to macOS Sierra just yet. I’ve got too many mission critical apps on it that I’m afraid won’t function correctly without major upgrades from their developers. I’m also waiting for a number of the bigger issues to shake out, so I don’t have to deal with them. This is usually when the 10.X.1 release is made available, and most will agree that this is the best time to upgrade, especially if you’re on the early adopter schedule, like me. (Though, to be very honest, jumping on at the X.Y.1 release really ISN’T early adoption…)

Are you a Mac? Have you upgraded to macOS Sierra 10.12 yet? Are you running the 10.12.1 beta? What do you think of the software? Why don’t you join me in the Discussion area below and give me your thoughts?

Related Posts:

Apple Releases macOS Sierra

OSX 10.12 hits the streets with a multitude of new features

siri

Apple has released macOS Sierra – OSX 10.12 – making it available for free to those users and Macs able to run the new OS. This release comes after eight betas and a number of revisions to the GM (gold master) release before its official launch on 2016-09-20.

macOS Sierra can be obtained from the Mac App Store. Apple should be making it available to Yosemite and El Capitan users via their Software Update process before too long. Officially, macOS Sierra supports the following Macs

2009 and Later

  • iMac
  • MacBook

2010 and Later

  • MacBook Air
  • MacBook Pro
  • Mac mini
  • Mac Pro

macOS Sierra does a lot to align compatible Macs with updates to iOS, watchOS and tvOS. macOS Sierra focusses on introducing features that specifically work with iPhone and Apple Watch to improve the overall user experience.

Some of the bigger updates to Sierra include the following:

  • Siri for Mac
    Siri allows users to use normal voice commands to conduct searches, find files, look up information and more. You can pin vocal searches to the Notification Center for continual monitoring.
  • Continuity
    New Continuity features allow you to unlock your Mac with your Apple Watch or with iPhone.
  • Universal Clipboard
    You can share clipboard contents across iDevices.
  • iCloud Improvements
    You can now sync not only the contents of your Documents folder, but your Desktop as well, to iCloud Drive.
  • Photos
    A new Memories feature in Photos will display collections of pictures and bring back old events on their anniversary. Special learning algorithms also improve facial, object and scene recognition making searching for specific photos a LOT easier.
  • Apple Pay

You can now pay for items you buy on the web with Apple pay. Payments are authenticated through a connected iPhone or Apple watch.

I am currently working on a review of macOS Sierra and hope to have it posted before the end of the month – along with a review of both iOS 10 and the iPhone 7. Hang tight, kids. Its about to get very Apple-ie around here.

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox

Find us on Facebook