Huge macOS High Sierra Security Flaw Allows Admin Logins With No Password

Huge macOS High Sierra Security Flaw Allows Admin Logins With No Countersign

This site may earn chapter commissions from the links on this folio. Terms of use.

Apple tree has frequently marketed itself as providing a superior, more secure operating environment than you observe in the PC universe (whether this is actually true or merely reflects Apple tree's relatively small market share is an argued question). That reputation took a massive blow concluding evening, when security researchers demonstrated a flaw in macOS High Sierra that allows administrator access to a arrangement with a hardcoded login and no password at all.

Reproing the bug is uncomplicated (at least until Apple tree fixes it): Type the login "root," and then move the cursor into the countersign field and hitting enter several times. It besides apparently works if you simply hit the "login" button several times rather than using the keyboard, though a few tries may be necessary.

Dear @AppleSupport, we noticed a *HUGE* security event at MacOS Loftier Sierra. Anyone tin can login as "root" with empty password after clicking on login push button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2022

Ars Technica confirmed the issues on three dissimilar Macs, all of which were tested multiple times. Security researcher Amit Serper notes that Apple script can be used to create a root shell from the command line as well. Initially he didn't call back this was possible, which is why his tweet is phrased that way:

I stand up corrected. you can use apple script to trigger a root shell from the command line. https://t.co/PhvwoisSk5

— Amit Serper (@0xAmit) November 28, 2022

You can also log in with this method if the auto is rebooted. A locked screen isn't vulnerable to this assault, and full deejay encryption seems to cease it also, but a powered-off Mac running Loftier Sierra can be rebooted and penetrated with no problem at all. Lemi Orhan Ergin notes that the bug can besides be used from within the Bone to unlock user and group preferences:

It'southward baffling a security bug this severe would make it into a aircraft product. MacOS High Sierra has been shipping for months. It's been in beta for fifty-fifty longer. And plain, somehow, this error snuck through unnoticed. In fairness to Apple tree, information technology'south the simple kind of error that even security testers might skip checking, because no 1 expects an error this obvious to get made in the first identify.

Merely, past the same token, the fact that this fault is so low-level makes information technology extremely serious. If you permit admission to your Mac via remote services or have enabled screen sharing, yous'll want to turn those features off immediately. Apple tree will almost certainly have a security fix ready to go in a matter of days; nosotros'll update this story as soon as they practise. Until they patch the flaw, setting a root password will assistance yous avoid the problem.

Source: https://www.extremetech.com/computing/259613-huge-macos-high-sierra-security-flaw-allows-admin-logins-no-password

Posted by: poteatfairse1974.blogspot.com

Share this post