Apple Fixes Serious MacOS Password Bug

UPDATED 30/11/2017: Apple has issued a patch for a serious vulnerability with its new Mac OS High Sierra operating system.

The flaw is so serious, it could allow admin access to Apple Macs by using the username ‘root’ and no password, which bypasses (in some cases remotely) local security settings.

It is recommended that Mac users running MacOS High Sierra download ‘Security Update 2017-001’ immediately. Users of older versions of the operating system are not affected.

The bug became public knowledge earlier this week, however the Turkish software developer, Lemi Orhan Ergin did not follow responsible disclosure protocols (by alerting Apple beforehand and giving it chance to fix it) and instead decided to publicise it on Twitter.

Admin Privileges

That said, the flaw was apparently discovered a few weeks ago by a developer called Chethan Kamath (chethan177) and was disclosed in an Apple developer support forum, located here.

But Ergin has done Apple no favours when he decided to use Twitter to draw attention to the flaw in a public forum.

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra,” he tweeted. “Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

Apple started work on an emergency patch, and advised users in the meantime to set a root password.

The Root password flaw can be exploited on any unlocked Mac with the latest Mac OS installed. It can also be exploited at the login screen of a locked Mac (even after a reboot), providing the flaw has been used before.

The flaw can also been exploited remotely if a user has screen sharing enabled.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Apple Security

The fact that Apple has let slipped such an obvious security vulnerability will no doubt cause red faces at Apple. And this is not the first bug discovered in macOS High Sierra operating system.

In October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Yet despite this, Apple has enjoyed a good security reputation for many years, although flaws, bugs and vulnerabilities are increasingly being discovered and patched.

But the fact that Apple’s testing procedures did not detect this latest and fairly obvious root bug before the OS was released does raise some questions of its testing process. As does the fact that the developer Chethan Kamath first exposed this flaw on 13 November on Apple’s own developer forums.

This also leads to questions as to why Apple doesn’t seem to read or monitor the content on its developers forums.

“This is a very surprising bug that evaded the quality control on MacOS High Sierra,” said Tyler Moffitt, Senior Threat Research Analyst at Webroot.

“Apparently, this also works on FileVault in the MacOS which makes this bug quite devastating. The good news is that as of right now, there is not any mention of malware that leverages this security flaw,” he added.

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago