Technical Discussion
  >> Apple Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User billford
(elder) Tue 28-Nov-17 21:46:10
Print Post

High Sierra bug


[link to this post]
 
If other people have access to your computer you might like to take notice of this:
macOS High Sierra bug allows full admin access without a password


Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User micksharpe
(legend) Wed 29-Nov-17 02:13:47
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
"Think different."

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn
Standard User billford
(elder) Wed 29-Nov-17 07:37:41
Print Post

Re: High Sierra bug


[re: micksharpe] [link to this post]
 
"Think."

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6


Register (or login) on our website and you will not see this ad.

Standard User micksharpe
(legend) Wed 29-Nov-17 07:48:21
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Caveat emptor? tongue

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn
Standard User billford
(elder) Wed 29-Nov-17 07:58:43
Print Post

Re: High Sierra bug


[re: micksharpe] [link to this post]
 
Whilst not excusing Apple on this, I wonder how new the bug is.

I can remember at least some forms of Unix having this "feature" back in the days of thick Ethernet crazy

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 08:38:07
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
It's nothing to do with the design of the OS, just a poor default configuration in the delivered product. Any OS could potentially have this bug (and I'm pretty sure that some Linux distributions do).

But it is quite a glaring oversight to ship a system with a blank, or default, root password.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Wed 29-Nov-17 09:04:17
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
In reply to a post by TinyMongomery:
It's nothing to do with the design of the OS, just a poor default configuration in the delivered product
Not sure I'd agree there- the login code should be in a loop which can only be broken out of by entering valid details.

On the Unix systems I remember it was simply the same code repeated three times- after that you just "dropped through" to the rest of the startup routine.

These days that would be very poor design, but in those days computer software was written by geeks for geeks, who were assumed to be trustworthy. The idea of computers all over the world being accessed by some spotty 14-yr old with a tablet in his bedroom wasn't even conceivable frown
But it is quite a glaring oversight to ship a system with a blank, or default, root password.
Yes. It should be a requirement during installation to set a root password.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 11:17:43
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Username "root" with password "" is a perfectly valid input.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Wed 29-Nov-17 11:24:45
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
In reply to a post by TinyMongomery:
Username "root" with password "" is a perfectly valid input.
Matter of opinion. I don't consider null entries to be valid in either field.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian72
(eat-sleep-adslguide) Wed 29-Nov-17 11:26:21
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
Yes, but that then should only require Enter to be pressed once. The report says enter has to be pressed several times so there is something else going on, not just the missing password - looking at a video it rejects it first time but allows it on the second attempt, that is odd behaviour.
Standard User ian72
(eat-sleep-adslguide) Wed 29-Nov-17 11:27:14
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
A null password is valid - if that is the way you configure the security. It may not be a good idea but that does not make it invalid - for years I ran Windows with a blank password so that it auto logged in at home as I was the only user and nothing on the machine that needed to be secured.
Standard User billford
(elder) Wed 29-Nov-17 11:33:36
Print Post

Re: High Sierra bug


[re: ian72] [link to this post]
 
In reply to a post by ian72:
A null password is valid - if that is the way you configure the security.
Accepting what you say, it's a bit of an oxymoron tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 11:54:10
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
"" isn't a null entry. (Check your C programming - which is, after all, what these utilities are written in - a pointer to "" is not a null pointer.)

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Wed 29-Nov-17 12:01:37
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
In reply to a post by TinyMongomery:
a pointer to "" is not a null pointer.
Agreed, it isn't- it's a pointer to an empty string.

I just knew you'd take this sub-thread into pointless pedantry frown

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 12:26:43
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
I takes two to tango. wink

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Wed 29-Nov-17 12:42:05
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
Tango isn't an Apple OS.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User micksharpe
(legend) Wed 29-Nov-17 12:56:19
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
In reply to a post by billford:
Tango isn't an Apple OS.
Did you Google it? wink

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 13:02:23
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Not an OS, but it takes two to use it. https://itunes.apple.com/us/app/tango-video-call-cha...

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User ian_c
(eat-sleep-adslguide) Wed 29-Nov-17 13:50:49
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
If other people have access to your computer
Is the important bit (as you know)...

Also, the issue isn't really the absence of a root password per se, since root is not enabled by default on MacOS (and never has been), but that it turns out it is trivially easy to enable it. I suspect Apple made the (obviously erroneous) assumption that only people who knew what they were doing would know how to enable root. So although the workaround is to add a password, that isn't the fix because it should be (but isn't) moot for most users.

This (if I have read correctly - was in a bit of a rush) was found looking for a solution to a different issue - how to reinstate an admin (non-root) account that has been accidentally de-admined.

Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 14:13:53
Print Post

Re: High Sierra bug


[re: ian_c] [link to this post]
 
I'm not convinced that this is a big deal. If you have physical access to an OS X machine you can start it in single user mode and have root access that way. The same is true of most UNIX based systems - with physical access you can easily get root access.

The exception being if the hard disk is encrypted; most systems will the require a password to access it. In that case, even booting with another OS and accessing the disk that way won't work.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Wed 29-Nov-17 14:19:40
Print Post

Re: High Sierra bug


[re: ian_c] [link to this post]
 
I must admit I'd forgotten that root has to be specifically enabled... I've never needed it.

I've always managed with sudo, and (not being particularly proficient at a Unix prompt) I'm very wary even of that crazy

It's a bit ironic that they missed this one but (in Sierra) removed ftp because it was insecure...

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian_c
(eat-sleep-adslguide) Wed 29-Nov-17 14:36:29
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
Pretty much. An unencrypted system is vulnerable. More at 10.

Standard User billford
(elder) Wed 29-Nov-17 16:53:14
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Fixed.

Available in the App Store, no re-start required.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User micksharpe
(legend) Wed 29-Nov-17 17:34:43
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
It didn't take long for Apple to patch that nasty macOS High Sierra flaw that let intruders gain full administrator access (aka root) on your system. The company has released Security Update 2017-001, which should prevent people from gaining control over a Mac just by putting "root" in the username and hitting the Return key a few times. Needless to say, you'll want to apply this fix as soon as you can if you're running Apple's latest desktop OS.
If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn

Edited by micksharpe (Wed 29-Nov-17 17:35:10)

Standard User billford
(elder) Wed 29-Nov-17 17:50:32
Print Post

Re: High Sierra bug


[re: micksharpe] [link to this post]
 
In reply to a post by micksharpe:
If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.
An alternative interpretation is that MS security is [censored] tongue

It's the first security-only update this year but there have been several general OS updates in 2017. I can't remember if any included security updates as well, they probably did. I can't tell from the update history.


eta- iirc the update from 10.13 to 10.13.1 included the KRACK update, for example.

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6

Edited by billford (Wed 29-Nov-17 17:57:18)

Standard User micksharpe
(legend) Wed 29-Nov-17 17:56:47
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
In reply to a post by billford:
An alternative interpretation is that MS security is [censored] tongue
laugh

'Sir, please,' she said ... 'Will you not share your wisdom with us?'
'I have no wisdom,' he told her.
'Your experiences, then?'
'They have been trivial, uninteresting, and full of error.'
Iain M. Banks -- Feersum Endjinn
Standard User TinyMongomery
(eat-sleep-adslguide) Wed 29-Nov-17 21:13:24
Print Post

Re: High Sierra bug


[re: micksharpe] [link to this post]
 
High Sierra is relatively recent.

Contrary to popular belief, security updates are - IMO - a good thing.

Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User TinyMongomery
(eat-sleep-adslguide) Thu 30-Nov-17 08:14:42
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
An explanation here of exactly what went wrong: http://www.theregister.co.uk/2017/11/29/apple_macos_...

I have to revise my opinion - this was a bug in the OS, not just a misconfiguration of the defaults.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User Jay_Jay
(learned) Thu 30-Nov-17 09:52:33
Print Post

Re: High Sierra bug


[re: micksharpe] [link to this post]
 
In reply to a post by micksharpe:
If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.


I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!

In reply to a post by TinyMongomery:
Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222


From TM's Link:- for iOS-11 (which was initially released at the end of September), there have ALREADY been 6 Security Updates!!

Not quite up to Microsoft's "Every-Week", but nearly!!
Standard User billford
(elder) Thu 30-Nov-17 10:17:06
Print Post

Re: High Sierra bug


[re: Jay_Jay] [link to this post]
 
In reply to a post by Jay_Jay:
I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!
All companies get it wrong periodically... OS X Snow Leopard was great, Lion was less highly regarded, Mountain Lion wasn't bad, Mavericks had it's problems I believe, ditto Yosemite (I skipped those two), Sierra seemed OK, I'm not convinced about High Sierra.

Similar for Windows- the upgrade from XP to Vista wasn't universally recommended... that's about when I switched to Macs so can't comment on later versions. Even back in the days of DOS, there was a tendency to skip the even-numbered versions smile

IOS 11 seems to be another victim of this trait... I've stayed on IOS 10, I'll see what 12 looks like tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian72
(eat-sleep-adslguide) Thu 30-Nov-17 13:05:29
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Even back in the days of DOS, there was a tendency to skip the even-numbered versions
And we all know Microsoft decided to skip the odd number and go straight from 8 to 10.
Standard User TinyMongomery
(eat-sleep-adslguide) Thu 30-Nov-17 13:25:30
Print Post

Re: High Sierra bug


[re: ian72] [link to this post]
 
More likely it was the same reason that there is unlikely to be a Windows 13. And, considering that Windows 7 was one of the most successful versions, I doubt the odd-number explanation.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User ian72
(eat-sleep-adslguide) Thu 30-Nov-17 13:33:57
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
They might have just been trying to catch up with Apple - now both MacOS and Windows are at version 10.
Standard User billford
(elder) Thu 30-Nov-17 13:42:35
Print Post

Re: High Sierra bug


[re: ian72] [link to this post]
 
In reply to a post by ian72:
now both MacOS and Windows are at version 10.
And MacOS is at sub-version 13 crazy

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User billford
(elder) Thu 30-Nov-17 13:52:10
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
Seems the bug fix may have a bug... Link

Maybe they should have gone straight from 10.12 to 10.14 tongue

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian72
(eat-sleep-adslguide) Thu 30-Nov-17 13:59:05
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
American's are usually very superstitious about 13. Maybe because it is 10.13 they thought they would be ok?
Standard User billford
(elder) Thu 30-Nov-17 14:30:42
Print Post

Re: High Sierra bug


[re: ian72] [link to this post]
 
In reply to a post by ian72:
American's are usually very superstitious about 13. Maybe because it is 10.13 they thought they would be ok?
Who knows how American minds work, especially Californian ones? wink

The problem definitely isn't universal- I can connect to shares OK here, although I haven't tried all possible combinations of all machines (and nor do I intend to!).

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Thu 30-Nov-17 14:37:21
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
That's nothing!

Windows is on sub-version 1703 (or 1709 for cutting-edge users).

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Thu 30-Nov-17 14:44:16
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
In reply to a post by TinyMongomery:
Windows is on sub-version 1703 (or 1709 for cutting-edge users).
Are those "genuine" sub-versions or build numbers?

I'm currently on MacOS 10.13.1, build number 17B1002. The 17B suggests that the numbering system may have started with MacOS 1, whatever that was crazy

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User TinyMongomery
(eat-sleep-adslguide) Thu 30-Nov-17 16:52:39
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
The current build number is 15063.729.

--------------------------------------------------------------------------
A lie gets halfway around the world before the truth has a chance to get its pants on.
Standard User billford
(elder) Thu 30-Nov-17 17:08:55
Print Post

Re: High Sierra bug


[re: TinyMongomery] [link to this post]
 
In reply to a post by TinyMongomery:
The current build number is 15063.729.
Thanks, that's even more cryptic than my MacOS build number tongue

I've been doing a bit of googling and came across this:
Windows 10 Will Be the Last Major Microsoft OS Release
I hadn't realised MS were going down that route... so (probably) no Windows 11 and (it wouldn't surprise me) no MacOS 11 either.

Just a series of point releases... should be a good thing. More "evolutionary" and less apps being broken by major OS updates if nothing else!

Bill
A level playing field is level in both directions.

_______________________________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User ian72
(eat-sleep-adslguide) Fri 01-Dec-17 08:21:28
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
It's primarily because MS will move to a subscription/cloud service - so you won't see update numbers but it will keep changing. Even if they no longer have major versions they could still have major changes.
Standard User Jay_Jay
(learned) Sat 09-Dec-17 09:28:11
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
In reply to a post by billford:
Just a series of point releases... should be a good thing. More "evolutionary" and less apps being broken by major OS updates if nothing else!

Can't really comment on Apple's releases but, generally, I disagree!!

A major release can be annoying but, when it occurs, you can go through it all & make sure that your Options/Settings are as you wish them to be. Also, if anything outlandish is introduced, there becomes such an outcry that it is soon shelved!

With this "Drip-Feed" approach to updates, various Options/Settings can be subtly changed (or even over-written) without you being aware of them!! Also you no longer get the same level of outcries objecting to outlandish changes!

Didn't I read something, on another Forum, where it was asserted that Microsoft routinely checks if Remote-Telemetry has been disabled &, if it has, it then re-enables it via the "routine" Security Updates??
Standard User kebabselector
(committed) Mon 11-Dec-17 15:09:14
Print Post

Re: High Sierra bug


[re: billford] [link to this post]
 
In reply to a post by TinyMongomery:
Windows is on sub-version 1703 (or 1709 for cutting-edge users).
- Are those "genuine" sub-versions or build numbers?


The Microsoft version numbers are when the major releases are produced: March 2017 (1703) / Sep 2017 (1709)

Next years are likely to be 1803 and 1809

ISP's:
Zen: 6mb down - .7mb up
JohnLewis BB: Cancelled
Stechford (CMSTE) Cab 50 - FTTC doing Design, live due by Oct 2018 - Phase CEO Escalation 19a - Huawei (Info from Codelook)
BCC Planning Portal Ref: 2017/09636/PA
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to