Posted by Tech Talk With Craig Peterson on Wednesday, November 29, 2017
Here’s a direct link to the Facebook video post: https://www.facebook.com/craigradio/videos/1910827435624427/
With the latest release of their High Sierra operating system version, 10.13.1 Apple has a HUGE security hole. Really huge. Previous operating system releases don’t seem to have the same vulnerability.
Anyone with an account on any Apple Mac OS High Sierra machine can gain full access to everything on the machine. Known as “root” access, Apple disabled it by default some years ago. But just yesterday, it was revealed that root is back with a vengeance.
Is this part of a bigger problem at Apple? How could they not have tested something so simple?
Apparently, Tim Cook’s Apple doesn’t have testing procedures robust enough to detect a devastatingly severe security hole.
Let me explain what this vulnerability is all about.
The machine running High Sierra will allow you to enter the account name “root” when you’re asked to validate increased privileges. Root access provides you enormous access privileges to every folder, file, program, all data, and the entire Operating System. But then to top it off you don’t even need to enter a password. OOOPS…..
Once logged in as root, any user can even change accounts that belong to other macOS users. Everything on that device is not only exposed but editable. That means that any system settings are changeable and include your security preferences that deal with encryption, VPNs, and firewalls.
The initial compromised login must occur with physical access to the device and by a local account on the machine. However, once done, the computer can be used remotely with full privileges.
Apple is rapidly designing a patch for this security vulnerability. By setting a secure password to the root username, you can prevent any unauthorized use of your Apple machine.
What to do:
- Go to System Preferences and select Users and Groups.
- Click Login Options on the left side of the menu, and then Click Join next to Network Account Server.
- Now Click Open Directory Utility, followed by Edit on your Mac’s menu bar.
- You can now assign a secure password.
Instructions from Apple are available here:
Apple’s information about their patch is here:
Keep in mind that if you are affected by this vulnerability and suffer a breach, you will have liability, and so will Apple, but here is the rub: unlike Apple, the small business owner can’t afford the legal team they’d need.