Modernizing Authentication — What It Takes to Transform Secure Access
Apple today released a security update to fix a significant vulnerability in its latest operating system, macOS High Sierra, which allowed anyone to log in as an admin without entering a password.
The company's update notification explains the flaw simply by stating, "An attacker may be able to bypass administrator authentication without supplying the administrator's password," and explains, "A logic error existed in the validation of credentials. This was addressed with improved credential validation."
Users who require a root user account will be required to re-enable the root user and change the root user's password after the update.
The flaw was disclosed publicly by software developer Lemi Orhan Ergin, who tweeted yesterday, "Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as 'root' with empty password after clicking on login button several times. Are you aware of it @Apple?"https://l1.cdn.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In a separate Medium post, Ergin explained that the staff at his company came across the issue last week, and notified Apple on November 23. "They also searched online and saw the issue mentioned in a few places already, even in Apple Developer Forum from Nov 13. It seemed like the issue had been revealed, but Apple had not noticed yet."
"I have no intention to harm Apple and Apple users," Ergin added. "By posting the tweet, I just wanted to warn Apple and say, 'there is a serious security issue in High Sierra, be aware of it and fix it.'"
Tripwire vice president of product management and strategy Tim Erlin told eSecurity Planet by email that this kind of failure to follow responsible disclosure guidelines puts everyone at risk. "Public disclosure like this, especially with a major vulnerability, ensures the widest possible distribution of the information among malicious attackers, and instills a sense of urgency to attack before a patch is available," he said.
Still, Ergin's tweet had the desired effect -- Apple said in a statement, "When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole."
"We greatly regret this error and we apologize to all Mac users, but for releasing with this vulnerability and for the concern it has caused," the company added. "Our customers deserve better. We are auditing our development process to help prevent this from happening again."
Craig Young, computer security researcher at Tripwire, said by email that there's really no excuse for releasing an operating system with this kind of security failure, as well as others discovered over the past year. "Looking at the history of macOS releases tells a pretty interesting story about the kind of quality coming out of Cupertino recently," he said.
"Apple releases a major update for their operating system each year in September typically with a new point release every couple of months," Young added. "For the last couple of years, however, Apple has had to follow up the major release with a quick succession of fixes for issues detected after launch. In fact, this is the third year in a row where it looks like Apple will three versions of their OS released before the end of the year."
TDI senior director Jesse Dean said by email that things are changing significantly for Apple, which used to be able to count on security through obscurity. "Previously, designers and artists were not concerned or demanding security -- they were rightfully content with a slick looking product that enabled their creativity and vision. That is all about to change."
"Last year, Apple sold approximately 36 percent more computers than it did in 2010," Dean added. "Between this increase and greater adoption by DevOps teams to create and manage critical applications, MacOS users should no longer feel they are safe hiding in plain sight."