High Sierra security
Another macOS security blunder...
Yet another security flaw hits High Sierra.
Apple’s latest iteration of macOS, High Sierra, has been rocked by yet another security lapse. This was the most serious yet, potentially giving attackers (human or malware) root access to any Mac running High Sierra — meaning they could do anything they wanted.
Apple issued a fix, Security Update 2017-001, within a day after the fault was publicized to the general public on Twitter and widely reported in the media, but this was some weeks after the issue was first disclosed on its developer forums.
Ironically, the fix in turn broke file sharing, and Apple rapidly issued an additional support note ( support.apple.com/en-us/ HT208317) with instructions on how to get it working again.
The original security lapse was a serious vulnerability. Anyone could sit at your Mac and gain administrator access by logging in with the user name “root” and leaving the password blank each time it was requested. This worked when logging in, when making changes to system settings, and even when accessing the Mac remotely using screen sharing.
In Unix-based systems, including macOS and versions of Linux, the root user is the ultimate administrator, with unfettered privileges. As is usual practice, the root account is disabled by default in High Sierra, but the flaw was in the function that verifies passwords: When someone tried to log in as “root,” it reset the password to whatever that person entered (or didn’t enter, if it was left blank), and enabled the root account.
According to some reports, this took effect the second time you tried to log in — the first time only reset the password and saved it — which is some consolation because someone just playing around wouldn’t have gained immediate access. However, it later emerged that this flaw applied to any system account that had its login disabled. On the other hand, it would not affect an active root account with a password, which is likely to be the setup in most corporate environments.
The flaw affected remote access, but this is probably off by default anyway, and remote login by SSH (using the command line) has additional anti-root checks. However, screen sharing does not, leaving Macs running an unpatched version of High Sierra vulnerable to attack from outside as well as from intruders who happen to be sat at your keyboard.
Apple recommended that all High Sierra users apply the security update urgently.
This is the third serious security lapse affecting High Sierra. As we reported in Mac|Life 135 in December, the first was a flaw in the keychain, which meant that malicious code could steal the contents of your keychain, including critical passwords. The second was a bug that affected encrypted APFS volumes (those using the new Apple File System, introduced in High Sierra and now obligatory for SSDs): When it prompted you for your password, it displayed the password itself, in plain text, instead of your password hint.
Apple issued updates to address all these lapses, but they have left a cloud over the company’s security testing regime. Apple is believed to be aiming to make inroads into the corporate market, but enterprise users in particular will now be more wary of deploying High Sierra.
As we went to press, Apple was advertising a Security Assessor job on LinkedIn. Based in Cupertino, CA, the position required “strong experience conducting large-scale security and risk assessments.” It’s not clear whether the previous job holder left entirely voluntarily.