Security Flaw - Oops!

In summary, this is a physical, local only attack. Don't leave your Mac someplace where unauthorized use could occur.

There is a way to stop this before Apple get readied a patch! Search and type "Mac OS Sierra root". there is a thread on what to do to do.

GordonThree wrote:
In summary, this is a physical, local only attack. Don't leave your Mac someplace where unauthorized use could occur.

Don't be too comfortable with that notion. The fix is simple though and should be done regardless. Read on...

https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/

Apple has released an update.

We were just talking about this today in our enterprise security meeting. Didn't effect our organization as High Sierra has not yet been approved as an OS upgrade. Only five isolated test Macs are running it. Though a pretty big oversight by Apple?

I refrain from upgrading my personal Macs until it passes our enterprise security testing.

It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.

ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.

Speaking as a Unix weenie and developer, I can't help but wonder how many of the millions of Mac owner's in the world have a clue what this means. I don't think Apple wants their customer base to have to know or care.

Dave

magicbus wrote:

ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.

Speaking as a Unix weenie and developer, I can't help but wonder how many of the millions of Mac owner's in the world have a clue what this means. I don't think Apple wants their customer base to have to know or care.

Dave

Speaking as another unix weenie (ret), you’re right. Anybody that knows what root is and how to enable it is probably safe anyway.

The moral of the story is that if you don’t know what we’re talking about you probably don’t need to be concerned about this. You’d have no reason to do the things that would put you at risk.

ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.

From what I've read, the issue occurs even if you have not explicitly enabled root login. That's part of the problem - the OS is seemingly enabling the root account to check the password and that's why when you try the login with a blank password you have to try it twice.

bwanshoom wrote:

ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.

From what I've read, the issue occurs even if you have not explicitly enabled root login. That's part of the problem - the OS is seemingly enabling the root account to check the password and that's why when you try the login with a blank password you have to try it twice.

Very True - the current reported OS bug bypasses the fact that root is disabled. You simply have to try more than once.

If you have a computer running macOS High Sierra, you can address this immediately by assigning a password to “root” so that unauthorized parties who might attempt to exploit the flaw won’t be able to login in without it. To do this, simply open the “Directory Utility” app and click the “Edit” dropdown menu in the toolbar. You can then click on the “Change Root Password” entry to enter a new password.

I'd have a password for root regardless of any patch.