mac OS HS vulnerability

Printable View

29-11-2017, 12:37 PM
ik9000

mac OS HS vulnerability

classic - it sounds like a similar thing to the old windows XP "administrator" account vulnerability. Anyone with a mac might want to set a root password

http://www.bbc.co.uk/news/technology-42161823

I like the fact they explain to people how to exploit the vulnerability :stupid:

Quote:

Originally Posted by BBC

The flaw in MacOS High Sierra - the most recent version - makes it possible to gain entry to the machine without a password, and also have access to powerful administrator rights...

...by entering the username "root", leaving the password field blank, and hitting "enter" a few times, he would be granted unrestricted access to the target machine.
29-11-2017, 02:30 PM
scaryjim

Re: mac OS HS vulnerability

Quote:

Originally Posted by ik9000

... I like the fact they explain to people how to exploit the vulnerability :stupid:

I like even more that, immediately after they explain the exploit, they point out that the original person to do so has been highly criticised by the computer security industry. It's like, they know it's a bad thing to tell people how to do this, but someone else has already said something so surely it's OK now...
29-11-2017, 03:15 PM
ik9000

Re: mac OS HS vulnerability

Quote:

Originally Posted by scaryjim

I like even more that, immediately after they explain the exploit, they point out that the original person to do so has been highly criticised by the computer security industry. It's like, they know it's a bad thing to tell people how to do this, but someone else has already said something so surely it's OK now...

Yeah, kind of ironic, but in fairness once the exploit is in the wild it is better to warn as many people as quickly as possible, both of the need to act, and the potential risk/severity of not taking action.
29-11-2017, 03:23 PM
ik9000

Re: mac OS HS vulnerability

and when one article on their website wasn't enough...
http://www.bbc.co.uk/news/technology-42166438
29-11-2017, 03:27 PM
peterb

Re: mac OS HS vulnerability

You do have to have to root account enabled - by default it is disabled, however a user with admin privileges can enable it, and should then set a password.

Most *nix systems insist on setting a root password as part of the setup routine.
29-11-2017, 04:16 PM
scaryjim

Re: mac OS HS vulnerability

Quote:

Originally Posted by peterb

You do have to have to root account enabled - by default it is disabled ...

From the info in the bbc articles it makes it sound like High Sierra automatically enabled it. The guy who posted it in the apple forum thread says he was a normal user, and makes no indication that he'd chosen to enable root access.

Sure, we don't have the full story, but this sounds a bit more serious than "only affects people who have deliberately chosen to enable root"....
29-11-2017, 04:23 PM
peterb

Re: mac OS HS vulnerability

Quote:

Originally Posted by scaryjim

From the info in the bbc articles it makes it sound like High Sierra automatically enabled it. The guy who posted it in the apple forum thread says he was a normal user, and makes no indication that he'd chosen to enable root access.

Sure, we don't have the full story, but this sounds a bit more serious than "only affects people who have deliberately chosen to enable root"....

You are right - I've just checked mine a bit more carefully, it is possible to log in as root from one of the system preferences applications. Ive jus set a root password on my mac, and the disabled root access! :)

It does require physical access to the machine - but better safe than sorry!
29-11-2017, 04:46 PM
spacein_vader

Re: mac OS HS vulnerability

Quote:

Originally Posted by peterb

You are right - I've just checked mine a bit more carefully, it is possible to log in as root from one of the system preferences applications. Ive jus set a root password on my mac, and the disabled root access! :)

It does require physical access to the machine - but better safe than sorry!

Apparently it can also be done from a remote connection. Or worse via CLI so an executable can do it.
29-11-2017, 05:13 PM
peterb

Re: mac OS HS vulnerability

Quote:

Originally Posted by spacein_vader

Apparently it can also be done from a remote connection. Or worse via CLI so an executable can do it.

Yes, if you have enabled remote access, or have installed malware. Its certainly a serious flaw - easily fixed by a user though, and I expect there will be an update out in the very near future. Just shows you can never be complacent whatever the OS. (as the shellshock bug demonstrated last year)

Edit: Looks as if the patch has been released.
29-11-2017, 06:08 PM
ik9000

Re: mac OS HS vulnerability

Quote:

Originally Posted by peterb

Yes, if you have enabled remote access, or have installed malware. Its certainly a serious flaw - easily fixed by a user though, and I expect there will be an update out in the very near future. Just shows you can never be complacent whatever the OS. (as the shellshock bug demonstrated last year)

Edit: Looks as if the patch has been released.

An Apple patch... would that be an i-patch?
29-11-2017, 06:27 PM
peterb

Re: mac OS HS vulnerability

Quote:

Originally Posted by ik9000

An Apple patch... would that be an i-patch?

Here’s your coat.... :)
29-11-2017, 06:52 PM
spacein_vader

Re: mac OS HS vulnerability

Quote:

Originally Posted by peterb

Here’s your coat.... :)

What sort of coat? A mac perhaps?