UPDATE 11/30: Unfortunately, the patch Apple released may introduce another bug that prevents file-sharing on the Mac. The company has issued an advisory that explains in four steps how to fix that issue.
UPDATE 11/29: Apple released a security patch on Wednesday to fix this bug and issued the following statement:
"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
"We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Original Story 11/28:
Mac computers with High Sierra (MacOS 10.13.1 or higher) have a serious bug that can let anyone gain root access to the system without a password.
The hack can be triggered through the Mac's System Preferences application. Initially, reports indicated that the bug was limited to the "Users & Groups" option. Those who clicked the lock icon saw a new login window. Typing "root" as the username, leaving the password field empty, and clicking unlock (once or twice) set up a new account with system admin privileges to the computer.
According to security firm Malwarebytes, however, this was not limited only to "Users & Groups" and could be triggered by clicking the lock icon next to any app within the Systems Preferences menu.
There were also reports the bug could triggered via the Mac login screen, but not everyone was able to replicate that.
For those who did succeed, system admin privileges could be used to modify the rest of the Mac and look up passwords on the keychain access. Even after a reboot, the root account remained.
"I have not been able to trigger this initially from the main login screen," said Thomas Reed, a security researcher at Malwarebytes, in an email. "Once the bug is triggered in any authentication dialog, THEN you can log in as root from the login screen... but as far as I can tell, not until then."
The problem made headlines when security researcher Lemi Orhan Ergin tweeted about on Tuesday.
?????????? pic.twitter.com/4TBh5NetIS
— patrick wardle (@patrickwardle) November 28, 2017
Amit Serper, a security researcher with Cybereason, replicated the result and said the bug "is as serious as it gets."
Hackers are always crafting malware that can gain greater system privileges into a computer. Now they have a new way, which can also be triggered via a Mac's command line function. Imagine a piece of malicious code designed to attack Macs using the same flaw. Users wouldn't even know they were compromised, Serper said.
Shortly after the bug was made public, Apple issued the following statement:
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Security experts are still going over the bug, but it can be remotely exploitable, if for instance, screen sharing is enabled on the Mac.
If certain sharing services enabled on target - this attack appears to work ?? remote ?????? (the login attempt enables/creates the root account with blank pw) Oh Apple ???????? pic.twitter.com/lbhzWZLk4v
— patrick wardle (@patrickwardle) November 28, 2017
It does not appear Apple was made aware of the bug before it was publicized on Twitter, something the security community generally frowns upon. "This kind of public disclosure can put users at risk," said Keith Hoodlet, a security engineer with Bugcrowd, which does crowdsourced security testing.
He recommends users refrain from trying out the bug on their High Sierra-installed Macs. Doing so creates an account with super privileges, which can open it up to remote attack. To mitigate the risk, users who've decided to test the bug should create a password for the new root account, which can be done by following the temporary fix Apple provided.
How Your Password Was Stolen
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
