Story image

Apple addresses serious root access vulnerability in latest MacOS High Sierra update

30 Nov 17

Apple has been quick to address another major security flaw in its macOS High Sierra 10.13.1 operating system after keen-eyed users found that anyone could gain root access to the system with a few easy steps.

According to reports, any person can log into a Mac device that runs High Sierra by using ‘root’ as the username and pressing the enter key several times. The login then results in all superuser access rights to the OS, leaving users’ data wide open for access.

The vulnerability, CVE-2017-13872, was patched by Apple yesterday. The company confirms suspicions that the vulnerability does have real dangers.

“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company says in its Security Update 2017-001 report.

“A logic error existed in the validation of credentials. This was addressed with improved credential validation.”

According to Centrify director of product management Peter Havens, the vulnerability has significant risks for enterprises that use Macs.

He says that the bug can allow access through both the login screen and screen saver lock screens for Macs joined by Active Directory.

“This is much more significant than the originally reported issue because it allows an admin to elevate privileges by unlocking system preferences,” Havens explains.

“In addition, if a Mac user has ‘screen sharing’ enabled - perhaps from a previous IT support issue - the root login can be used to remotely view the user’s screen without them knowing, or login remotely. While there is a simple workaround - by creating a user with the name ‘root’ and setting a unique and complex password - and Apple is sure to address this gaping hole quickly, it highlights a fundamental but ignored gap in enterprise security.”

He also notes that some companies use the same local admin password for every endpoint and believes that all local admin accounts including root accounts should have unique passwords that are randomly generated and rotated frequently.

“If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update,” Apple warns.

It is not the first security flaw in High Sierra and its predecessor El Capitan – in September a Synack security researcher discovered that Mac Keychain can store online account usernames and passwords in plain text. 

In October Duo researchers also called out Apple’s pre-boot EFI firmware. They found that, out of almost all Apple Mac devices, Apple was not consistent with its firmware updates. While the operating systems were updated, firmware updates were often left behind.

“There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running,” researchers state. 

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.