The MacOS Fix is Out!

And, the fix is out, update now!

Apple releases macOS High Sierra security fix for critical root vulnerability
Apple releases macOS High Sierra security fix for critical root vulnerability 

9to5mac – By: Zac Hall = If you’re running macOS High Sierra, it’s time to update your Mac as soon as possible. Apple has released a security update that addresses the security vulnerability discovered yesterday afternoon. The update is available now through the Mac App Store.

Apple details the fix here:

SECURITY UPDATE 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

If you require the root user account on your Mac, you can enable the root user and change the root user’s password.

While the security vulnerability was a rather serious one, Apple has promptly responded with a fix less than 24 hours after it became public. The issue did not affect older versions of macOS, although there doesn’t appear to be a fix available for macOS 10.13.2 beta yet as the fix (downloadable here) only appears to apply to macOS 10.13.1 for now.

Apple issued this statement to 9to5Mac following the software fix:

‘Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.'”

Embarrassingly Easy MacOS Vulnerability!

Wired is reporting this super easy hack on High Sierra. Ouch!

Anyone Can Hack MacOS High Sierra Just by Typing ‘Root’

Wired – By: Andy Greenberg – “There are hackable security flaws in software. And then there are those that don’t even require hacking at all—just a knock on the door, and asking to be let in. Apple’s macOS High Sierra has the second kind.

On Tuesday, security researchers disclosed a bug that allows anyone a blindingly easy method of breaking that operating system’s security protections. Anyone who hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, they can simply type ‘root’ as a username, leave the password field blank, click ‘unlock’ twice, and immediately gain full access.

In other words, the bug allows any rogue user that gets the slightest foothold on a target computer to gain the deepest level of access to a computer, known as ‘root’ privileges. Malware designed to exploit the trick could also fully install itself deep within the computer, no password required.

‘We always see malware trying to escalate privileges and get root access,’ says Patrick Wardle, a security researcher with Synack. ‘This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.’

As word of the security vulnerability rippled across Twitter and other social media, a few security researchers found they couldn’t replicate the issue, but others captured and posted video demonstrations of the attack, like Wardle’s GIF below, and another that shows security researcher Amit Serper logging into logged-out account. WIRED also independently confirmed the bug.

The fact that the attack could be used on a logged-out account raises the possibility that someone with physical access could exploit it just as easily as malware, points out Thomas Reed, an Apple-focused security researcher with MalwareBytes. They could, for instance, use the attack to gain root access to a logged-out machine, set a root password, and then regain access to a machine at any time. ‘Oooh, boy, this is a doozy,’ says Reed. ‘So, if someone did this to a Mac sitting on a desk in an office, they could come back later and do whatever they wanted.’

Reed also notes, however—and other researchers confirm—that it’s possible to block the attack simply by setting a password for the root user.. If you’ve installed High Sierra and haven’t set a root password, you should do it now. In a statement, Apple confirmed the problem, reiterated that short-term fix, and promised a longer-term software patch: ‘We are working on a software update to address this issue,’ an Apple spokesperson wrote.1

‘This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.’

High Sierra’s ‘root’ bug was first revealed by Turkish software developer Lemi Orhan Ergin?, who says security staff at his company stumbled on the issue while trying to help a user get back into their account. ‘They informed me and tried on my machine too. And I saw the security issue with my eyes. That was scary,’ Ergin says.

The face-palm worthy bug is only the latest in a disturbing series that have plagued High Sierra. On the day the operating system launched, Wardle found that malicious code running on the operating system could steal the contents of its keychain without a password. And another shocking bug showed the user’s password as a password hint when they try to unlock an encrypted partition on their machine known as an APFS container.

Wardle argues that those flaws might have been caught earlier if Apple offered a ‘bug bounty’ for information about security vulnerabilities in its desktop software, just as most other companies do. Apple does have a bug bounty, but only for iOS, not MacOS. ‘A bug bounty program is a no-brainer. Maybe this is something that will encourage them to go down that path,’ Wardle says. ‘It’s crazy these kinds of bugs keep blowing up. I don’t know if I should laugh or cry.'”