A Turkish security researcher has exposed a major bug in macOS High Sierra. The flaw makes it possible for an attacker to gain entry to a machine without a password — as well as access to powerful administrator rights. Apple has issued a patch to fix the vulnerability affecting almost all macOS High Sierra systems.
Unpatched systems, however, remain insecure…
What Is the Bug?
The flaw was outed by Turkish developer Lemi Orhan Ergan. It allowed anyone to gain full administrative rights over a macOS High Sierra machine by simply typing “root” as the username in authentication dialog box. Then, leaving the password field blank and clicking the “Unlock” button twice, full administrative access is granted.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
In theory, before the patch, if you left your Mac unattended, someone could easily gain access and wreck your machine. For example, they might install malware, capture passwords using Keychain Access, delete or ruin your Apple ID, and more.
But Apple Have Fixed the Problem, Right?
As I penned this article, Apple released the security update to patch the issue. The Apple security content update statement says “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
The fix is already available on the Mac App Store. Also, the update will automatically apply to Macs running High Sierra 10.13.1 from Wednesday 29th November. Apple expanded on the situation with the following statement:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8am, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
“We greatly regret this error, and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
But They Already Knew About It?
Unfortunately for Apple, this issue had already surfaced — but received no action. A member of Apple’s support forum posted exact details of the bug more than two weeks ago. The original post and responses seem to view the major bug as a potential troubleshooting feature, rather than a critical security threat.
"The security flaw was originally detailed as a solution to a user login problem on Apple’s developer support forum." Dude, the exploit was on the internets. How about letting all of Twitter potentially protect themselves from this bug by setting a root password? https://t.co/sGLJW1pSOq
— elizabeth j allen (@ej_allen) November 29, 2017
What Do I Do Now?
Well, the first thing to do is head to check for system update. Apple was set to roll out the automatic patch update at some point in the last 24 hours. If the automatic update hasn’t appeared, you should head to the Mac App Store and search for the update there. Alternatively, click this link.
Once the update downloads, install immediately.
It Isn’t Working
If some reason the update will not install, first turn your system off and on, then retry. Apple has automated the process.
Otherwise, follow these steps to secure your system in the meantime:
- Open Spotlight, search for Directory Utility, select the corresponding option
- Click the lock to make changes; enter your username and password for the administrative account
- Head to Menu > Edit
- Select Enable Root User; create a password and verify
This is, however, a stop-gap. Please attempt to install the official update.
Eyes on the Source
As Apple patches the bug, eyes turn to Lemi Orhan Ergan. The self-described “software craftsman” is receiving criticism for not adhering to responsible disclosure guidelines. Responsible disclosure asks security researchers to inform companies about security threats to allow time to fix the flaw. After the flaw is fixed, the researcher is clear to present their findings to the public.
THIS IS NOT RESPONSIBLE DISCLOSURE. This is extremely irresponsible, especially for a vulnerability of this magnitude. Apple has an excellent disclosure system, and their team is exceptionally responsive. PLEASE do not do things like this. https://t.co/E6iOX5A43C
— Johnny Xmas (@J0hnnyXm4s) November 28, 2017
Of course, this system doesn’t always work as intended. Companies fail to respond, and security researchers become impatient. In those instances, creating a public issue forces the hand of the company, compelling them to fix the security threat.
After receiving a significant amount of criticism, Ergan posted a riposte on Medium. He explains that he “is neither a hacker, nor a security specialist,” continuing “I solely focus on secure coding practices while programming, but I can never call myself a security specialist.”
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
In all fairness, the bug was discussed on the Apple support forum. Furthermore, Ergan claims his colleagues at payments firm Iyzico disclosed the threat to Apple on 23rd November — but never received a response.
Eyes on the Ball
From the source, to the company. Did Apple let this one slip through the net? In a word, yes: especially if they were aware of the bug as Ergan claims. Unfortunately, we don’t know the truth, so cannot make a solid assessment of the situation.
Even after suffering their second forced update in a year (still only their second forced security update ever), Apple shouldn’t worry. Instances of macOS and iOS malware are rising, but Windows and Android remain the prime targets. Furthermore, Apple has a stellar security record for the most part, as evidenced by their swift and effective update roll out to quell the burgeoning threat.
Have you been affected by the Apple security flaw? Or did the update arrive swiftly enough to stop you worrying? Let us know your thoughts below!