Turkish developer Lemi Orhan Ergin has found a colossal security hole in the latest shipping version of MacOS, High Sierra 10.13.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The bug allows anyone to gain admin rights to the computer, letting them login as “root” without needing to enter a password.
That sounds bad
Yes. This is pretty bad of Apple, the company which previously brought us a security hole that displayed users’ actual passwords rather than a password hint.
D’oh! Apple seems to be making a habit of this… how could this security hole be exploited?
Simple. Imagine you leave you nip away for lunch at work, and leave your computer unattended on your desk. Your arch-business rival wanders over to your desk, boots up your iMac or Macbook, logs in as root, and installs some malware to spy on you.
Once someone has root on your Mac, they have God-like powers over the entire system.
Nasty. So this is a problem with the login screen at bootup?
Nope, it looks like it’s more than that. For instance, anytime the operating system asks you to enter an admin password (for instance, when changing your System Preferences) you could trick the computer into logging you in as “root”, no password required.
But an attacker needs to have physical access to a Mac computer in order to exploit this flaw?
Not so fast. For instance, security researcher Patrick Wardle reports that in some cases it is possible to exploit the flaw remotely.
If certain sharing services enabled on target - this attack appears to work 💯 remote 🙈💀☠️ (the login attempt enables/creates the root account with blank pw) Oh Apple 🍎😷🤒🤕 pic.twitter.com/lbhzWZLk4v
— patrick wardle (@patrickwardle) November 28, 2017
In other words, an attacker could use this technique to gain control over your Mac via VNC/Apple Remote Desktop.
You can tell just how serious this is by the sheer number of emojis Patrick included in his tweet.
This is so dumb
The over-use of emojis? Oh, you mean the security hole.
Yes, it is.
That’s why you should change your root password so it’s no longer the (blank) default.
Obviously if you take the route (geddit?) of changing your root password, make sure that it’s a strong, unique password that is hard to crack.
Apple is reportedly working on a fix. I would imagine they will be pushing it out as a high priority. Make sure to update your Macs and MacBooks at your earliest opportunity after it is released.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.
Update: Apple has now pushed out a security update for macOS High Sierra users that fixes the issue.