Apple Releases Fix for MacOS High Sierra 'Root' Bug
UPDATE eleven/29: Apple released a security patch on Midweek to fix this issues and issued the following statement:
"Security is a tiptop priority for every Apple tree product, and regrettably we stumbled with this release of macOS.
"When our security engineers became aware of the outcome Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.grand., the update is bachelor for download, and starting subsequently today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
"Nosotros greatly regret this mistake and we repent to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve amend. We are auditing our development processes to assistance preclude this from happening again."
Original Story 11/28:
Mac computers with High Sierra (MacOS 10.13.one or higher) have a serious bug that tin let anyone gain root admission to the system without a password.
The hack can be triggered through the Mac'southward System Preferences application. Initially, reports indicated that the bug was limited to the "Users & Groups" option. Those who clicked the lock icon saw a new login window. Typing "root" equally the username, leaving the countersign field empty, and clicking unlock (in one case or twice) set up a new account with system admin privileges to the calculator.
According to security firm Malwarebytes, nevertheless, this was not express merely to "Users & Groups" and could exist triggered by clicking the lock icon adjacent to any app within the Systems Preferences menu.
There were also reports the bug could triggered via the Mac login screen, just not everyone was able to replicate that.
For those who did succeed, system admin privileges could exist used to modify the rest of the Mac and wait upward passwords on the keychain admission. Even after a reboot, the root business relationship remained.
"I take not been able to trigger this initially from the main login screen," said Thomas Reed, a security researcher at Malwarebytes, in an email. "Once the issues is triggered in any authentication dialog, So you can log in every bit root from the login screen... but as far as I can tell, not until then."
The problem made headlines when security researcher Lemi Orhan Ergin tweeted near on Tuesday.
?????????? film.twitter.com/4TBh5NetIS
— patrick wardle (@patrickwardle) Nov 28, 2022
Amit Serper, a security researcher with Cybereason, replicated the result and said the issues "is equally serious as information technology gets."
Hackers are e'er crafting malware that can gain greater system privileges into a calculator. Now they accept a new mode, which can also be triggered via a Mac's command line function. Imagine a piece of malicious code designed to assault Macs using the same flaw. Users wouldn't even know they were compromised, Serper said.
Shortly after the problems was made public, Apple issued the post-obit statement:
"Nosotros are working on a software update to address this issue. In the meantime, setting a root countersign prevents unauthorized admission to your Mac. To enable the Root User and ready a countersign, please follow the instructions hither. If a Root User is already enabled, to ensure a blank countersign is not set, please follow the instructions from the 'Change the root password' section."
Security experts are withal going over the problems, merely it can exist remotely exploitable, if for case, screen sharing is enabled on the Mac.
If certain sharing services enabled on target - this attack appears to work ?? remote ?????? (the login attempt enables/creates the root account with blank pw) Oh Apple ???????? pic.twitter.com/lbhzWZLk4v
— patrick wardle (@patrickwardle) Nov 28, 2022
It does not appear Apple was made enlightened of the problems before information technology was publicized on Twitter, something the security community by and large frowns upon. "This kind of public disclosure tin can put users at risk," said Keith Hoodlet, a security engineer with Bugcrowd, which does crowdsourced security testing.
He recommends users refrain from trying out the issues on their High Sierra-installed Macs. Doing so creates an account with super privileges, which tin open up information technology upwardly to remote attack. To mitigate the risk, users who've decided to test the problems should create a password for the new root business relationship, which can be done by following the temporary set up Apple provided.
Source: https://sea.pcmag.com/apple-macos-high-sierra/18426/apple-releases-fix-for-macos-high-sierra-root-bug
Posted by: borbapenig1955.blogspot.com
0 Response to "Apple Releases Fix for MacOS High Sierra 'Root' Bug"
Post a Comment