Mistakes happen
If they put their prices up a bit they may be able to afford a competent in-house OS testing team
Apple has emitted an emergency software patch to address the trivial to exploit vulnerability in macOS High Sierra, version 10.13.1, that allowed miscreants to log into Macs as administrators without passwords and let any app gain root privileges. The Cupertino iPhone giant kicked out the fix, Security Update 2017-001, today …
You have to try several times for the vuln to trigger, once is not enough. This means that this flaw can remain undetected, as it was, for months ...
Glad to see Apple hasted with the patch.
This is just a silly code blunder
Next time I am in the head office, I will bring my laptop to IT, it runs WinDos 10, I will have a service running as System which will upgrade my account to domain and enterprise admin the second they log on ... let's see what they have to say about that ... I wonder, how long will it take for them to realize the feat ?
I also wonder what will happen to me once they find out ... fun days ;-)
Twice is enough.
The first time sets the root password to whatever's in the password box due to the logic fail meaning that a password entry for root is created in the new encryption format (really what this bit of code should be doing is updating a correct password stored in the old encryption format to the new encryption format).
The second time gets you access as the root password entry now exists in the new encryption format and the password in the box was correct.
Entering the same password twice for root is enough to do it. A blank password is easiest.
Apple needs more code review and QA and less shiny and marketing need to back off and realise their yearly fixed deadline means more mistakes like this get through.
Twice is enough.
Interestingly, I couldn't get the flaw to trigger on any of our AD-joined Macs (but could on ones that were not joined to the domain).
As other people have said, it would be nice if Apple were to spend less time carefully designing more emoticons and more doing basic QA.
"This is just a silly code blunder"
The command "ls" displaying the wrong time is a coding error, allowing root access without authentication on an operating system used by hundreds of thousands of people around the world is career killing cock up of the highest order.
"So why did you leave your last job?"
"Oh, erm....I was the coder that maintained the system authentication code for OSX High Sierra. Yeah, not a great time in my life I must admit!"
I have been a MAC user for about 18 years. I pretty much start at OS9. After converting to OS X, I have been reluctant to say this, but the code quality has *REALLY* gone downhill.The last decent os X was 10.4.11. I have been noticing so many bugs it seems that Apple has finally caught up with Windows as far as bugs. I am on 10.12.6, and it is somewhat stable although there are still many software bugs. The one that costs me four extra hours a day is by MAIL.APP. It does not show emails that have attachments. My conversation with Apple was at first they were interested in it until High Sierra came out and they dropped the bug report and insisted I upgrade to HS before they talk to me. Now, here comes the fun part, since Apple has had *SO MANY* bugs that people are reluctant (except a few Apple fanboys) to upgrade as Apple in their infinite wisdom has made the upgrade dangerous as they force you to upgrade the internal drive to be their new "thing" and makes it very hard to go back without jumping through hoops for an average MAC user. Since I am not an advanced Mac user I will wait six months to a year to upgrade because I do not want to have a chance of losing data, the cure according to Apple is making a few copies of every HD. I have news for Apple we all do not have an empty pocket and simply cannot make all the copies to be safe.
Color me an Apple person thas jaded eyes after all the bugs that Apple has come up with, Example: in 3 weeks Apple came up with an update each week.
Bah Humbug.
Just as well you have a Joke Icon. Most people regular here know, but the general public doesn't know that Apple generally has a HUGE profit margin compared to others. At least on phones. But how important are Macs to Apple now? They dropped Computer from the name. The Mac doesn't generate the iTunes revenue that the 70% (??) profit margin iPhone makes.
seems (from Apple themselves) that fixing the root password bug introduces a file-sharing fail bug, more specifically a fail-to-ever-authenticate file sharing no-go between High Sierra machines, and sometimes apfs SMB, NAS permissions problems etc
https://support.apple.com/en-us/HT208317
SNAFU used to be the appropriate .mil term, how quickly will we get Security Update 2017-001b?
1) Apple should have required a password on the root account or set it to a random password if the user didn't want to set one, not left it blank
2) the researcher who found this decided to tell the world immediately instead of telling Apple privately and giving them the chance to fix it before it was made public - he's getting castigated in the security world for doing this, and rightly so
Obviously all the blame belongs with Apple for allowing this to happen, and I hope their ultimate fix is to eliminate root accounts without a password - disabled or not - because if they simply fix this bug there's no guarantee there is another one lurking somewhere that allows the fact root has no password to be exploited. I'm sure hackers are looking for such cases very intently right now. No excuse for such stupidity.
It was actually found weeks ago and spread around the Apple developer forums. By the time it went big yesterday it was already well known to a large group of people. This wasn't a case of a careless security researcher dropping a zero-day publicly because he didn't feel like reporting it, it was a developer who wasn't aware of the full impact of a bug complaining that Apple had not even acknowledged that it existed let alone discussed the possibility of a fix.
Was this the best way to handle the issue? Nah, not really. But is it "right" for one of the many people who discussed this issue publicly to be crucified for doing so, as you suggest? No, not that either.
Also if you read the technical details, the "root account without a password" already was eliminated from the auth DB and should have been completely inaccessible. The root of the problem was that the authentication code wrongly decided that it was time to enable the disabled account by creating it anew, with the (blank) password which had been provided by the user.
Sadly, things are never quite as simple as they look.
2) the researcher who found this decided to tell the world immediately instead of telling Apple privately and giving them the chance to fix it before it was made public - he's getting castigated in the security world for doing this, and rightly so
Pretty sure the guy sent a message to Apple straight away. However, given the truly catastrophic and extremely simple nature of the fault (it later emerged than any program could pull off the same trick with command line calls), letting the whole world know was probably better than letting it fester until Apple got round to fixing it. Apple had 2 weeks to fix it before it became newsworthy, and only after all this publicity have they decided to get on with it.
Nope. Apple previously disclosed it into the public domain beforehand, as explained in the earlier post in this thread.
The PR firm who released that fake statement couldn't do a worse job even if they had Theresa May or one of her Orange ex-friends as their clients.
I just wanted to add that any unused account on your system should be expired so that no one and nothing can use it to log in to your computer. In linux and MacOS account expiration is controlled by /etc/shadow. Try man shadow. If you are running linux also read the man page for usermod. On MacOS, I am told that usermod doesn't exist and you need to use a tool called dscl instead.
One can only hope that part of the fix Apple has put into place was expiring the root account. If not you can do it manually and maybe avoid the next episode of "open mouth, insert root" from Apple.
It is an embarrassing bug and it will be exploited before all machines has been patched, but IMHO not as as big as the SSL error (GOTO FAIL). Requiring physical access to my machine would require break-in to my apartment.
Anything that is remotely possible is scary: Browsers allowing remote code to run. My SMTP server having a hole (like exim).
I have been hacked once due to a FTP bug in 2000. Prob. a script kiddie but still scary as hell.
You don't need physical access, just network access since this can be archived through vnc or even terminal if you're so include (I've tested this against my iMac which functions as a monitor at work over the network and sure enough it can be triggered. )
Annon because I'm not telling you which network you need to be on.
I have been hacked once due to a FTP bug in 2000
I've only been hacked once (that I know of!) - I set up an account on one of my linux boxes for one of my brothers and he changed his password to be the same as his user name..
Found someone busily trying (and failing) to install a rootkit the next day. Fortunately, it was a pretty stripped-down box and had a minimal attack surface (apart from squishy-meatbag induced ones).
This post has been deleted by its author
Now that's hardly fair. EVERY vendor will try and keep quiet about a problem like this until it's fixed, because revealing it when no fix exists is a fantastically irresponsible thing to do.
Of course, this had already been public domain for weeks and Apple weren't making any effort to do anything about it, which is the worst of all worlds. It was being bandied around by people on their own customer forum as a 'fix' for a locked account, and Apple still did not notice. Which isn't a great look.
"Now that's hardly fair. EVERY vendor will try and keep quiet about a problem like this until it's fixed"
No, that's hardly fair. There is a very big difference between vendors with a reputation for fixing holes asap and those with a reputation for sitting on them for years on end.
I have to laugh at the number of bugs that slip through. Often just pressing a button would have replicated it.
Granted in this case "I wonder if I can login to root?" Would have to have been followed by hitting enter twice. But still would have been a few seconds every code revision.
This little number is rather more nasty than every bug (with a funky name) that has been touted for years. This is *root* with no password. This is: I can ssh or RDP into your box with no password.
I don't have to mess about with anything fancy - your system has absolutely no protection against me: your root account has *****no fucking password *****.
I suggest you set one yourself. Apple seems to have let you down.
@PC Paul: "It's a shame nobody seems to have posted the immediate 'make yourself safe' step which should be to create a root account with a strong password, avoiding the logic flaw completely. I don't have a Mac here to test, is there any reason this wouldn't work?"
At least two people here deemed that comment worthy of a down vote. Logging in as root through the GUI is disabled by default here and it does prompt for a root password at installation. Then you sudo or su to get root access, various distros have different restrictions on this.
"particularly in the enterprise market Apple is so keen to grab"
They can't be all that keen, given their support offerings. My director's XPS13 dies at noon and Dell has someone on-site the same day. Another's Macbook Pro dies at roughly the same time and Apple show up 6pm the next day.
"Apple don't care about backward compatibility, which is essential for enterprises"
And aren't much interested in compatibility with other vendors, either, which doesn't help much. Honestly have no idea why Cook is trying to push the Enterprise angle, since it's completely at odds with Apple's existing (and undeniably successful) model.
Back in the mid 80's I used to work on AT&T 3B2-300 computers. When you forgot the root password you just hammered 'BREAK' during boot and you were prompted for a firmware password. That password was hard-coded as 'mcp'. I blame the interweb for making these security breaches available to everyone.
Similarly ~25 years ago, I had to hack our own VAXCluster. The star coupler had thrown a fit, and instead of making sure one copy of the system volume was available to at least one node, it crashed horribly and corrupted both.
So, I called our DEC support people, and our nice engineer Paul, turned up with parts, I restored the OS, and we thought we'd cracked it. Except it turned out that my boss (who was on hols) has changed the SYSTEM account password when I'd been on holiday shortly before, and had forgotten to tell me.
So, having physical access, I just took the system down again, did a conversational boot, renamed sysuaf.dat, rebooted, logged in as SYSTEM without a password, put sysuaf.dat back, and changed the SYSTEM password. Boom! I was in. (at least that's how I remember it, there was some swearing and multiple attempts to get this right)
Who is responsible at Apple for testing for basic security glitches such as above. Something like having an automated security testing framework in place that can run as part of the build/test/deploy process.
"The problem exists on the architecture/specification level."
Honestly, the problem exists on a cultural level at Apple. They keep everything secret even internally, so they have the complete opposite of the Open Source 'many eyes' approach. There's a presumption of security by obscurity minimizing problems, which is a really, really bad approach - and leads to having to rush out patches for bugs like this one when they get press attention.
On top of that, there's a general insistence that they don't need to learn from or follow non-Apple ideas about security, leading to stupid things like the lack of 2FA on iCloud prior to the Fappening (until someone who has learned about these things takes advantage of it, resulting in a sudden acceptance of what everyone else knew was a good idea 20 years previously). These are just plain embarrassing for a major vendor and the kind of thing most of their rivals addressed in the early 2000s, but are sidelined at Apple because they 'damage the user experience'. Presumably, no-one considered how having all her nude photos leaked online would impact Jennifer Lawrence's experience until after the event.
I tested the "problem" on my Mac (High Sierra) and .... NO root access using blank password.
Again, trying to elevate my privileges (as described) from System Preferences - again NO root access.
Granted Apple has rapidly pushed out a patch means it was a problem but ... not everywhere.
Not denying it hasn't been witnessed - just not on EVERY machine.
So relax from RANTING and foaming - please test your sources BEFORE jumping on the gloat / hate wagon.
This doesn't create a new user if the user doesn't exist. What this code is is migration code.
First it checks the newest format password database, if the entry isn't there it checks the old password format database, and upgrades the account password to the new database.
Unfortunately there is a bug that if the password wasn't in the old password database it still does the upgrade with whatever was passed in, which is rather stupid, but isn't the same as creating a new user.
A password-checking routine has absolutely NO business in CREATING a new user on a Unix system. If the user does not exist, fail the login and that is it !
But the IT sphere is actually plagued with feature-stuffed software, which in practice means bug-stuffed.
Here are two more KISS Violations: http://altwissenschaft.ddnss.de/ViolationsOfKISSAndConsequences.html
So other commenters say it is "just" migrating one format of user database into another one. "one the fly" while checking credentials.
Not sure whether this is even more dangerous or just on a similar level.
If they really want to convert user databases, do it while pushing an upgrade to the computer, not on every login attempt.
If the user does not exist, fail the login and that is it
You seem slightly slow of comprehension so I'll use small words:
A root user is created on every install but is marked as disabled and has no password. This has been the case for (pretty much) every version of OS X.
This bug comes about because of a logic flaw that makes the root account active, even if it doesn't have a password. This is unacceptable. But it sure as hell ain't "CREATING" a new user..
All it is doing is adding a password to an existing, disabled user without a password (NULL (UNDEF?) vs "blank" vs zero, fankids), and then enabling the user.
Yep, serious hole, Apple blew it off until it got user-level publicity (shame on them). Sad part is it's like the gratuitous "hacker" scene in action movies where somebody taps a few keys and magically pwns the system - you know, the ones we all groan at. Well, truth appears to be stranger than fiction, once again.
But it's NOT creating a new user (possibly with root privileges/sudoer/whatever). That's an entirely different level of stupid.
"ad part is it's like the gratuitous "hacker" scene in action movies where somebody taps a few keys and magically pwns the system - you know, the ones we all groan at. "
Apple kit - so user friendly even hacking it just takers a couple of key presses.
"Latest release: 10.13.1 (17B48) (October 31, 2..."
So hackers or related entrepreneurs had a possible four weeks of fun. Normally I would call this a glitch by Apple. But then again, the timing is interesting, where in other news it was reported that US Marines raided the CIA and the FBI was "neutralized" ...