High Sierra bug

If other people have access to your computer you might like to take notice of this:

In reference to www.engadget.com/2017/11/28/macos-high-sierra-bug-full-admin-access...:

macOS High Sierra bug allows full admin access without a password

"Think different."

"Think."

Caveat emptor?

Whilst not excusing Apple on this, I wonder how new the bug is.

I can remember at least some forms of Unix having this "feature" back in the days of thick Ethernet

It's nothing to do with the design of the OS, just a poor default configuration in the delivered product. Any OS could potentially have this bug (and I'm pretty sure that some Linux distributions do).

But it is quite a glaring oversight to ship a system with a blank, or default, root password.

In reply to a post by TinyMongomery:

It's nothing to do with the design of the OS, just a poor default configuration in the delivered product

Not sure I'd agree there- the login code should be in a loop which can only be broken out of by entering valid details.

On the Unix systems I remember it was simply the same code repeated three times- after that you just "dropped through" to the rest of the startup routine.

These days that would be very poor design, but in those days computer software was written by geeks for geeks, who were assumed to be trustworthy. The idea of computers all over the world being accessed by some spotty 14-yr old with a tablet in his bedroom wasn't even conceivable

But it is quite a glaring oversight to ship a system with a blank, or default, root password.

Yes. It should be a requirement during installation to set a root password.

Username "root" with password "" is a perfectly valid input.

In reply to a post by TinyMongomery:

Username "root" with password "" is a perfectly valid input.

Matter of opinion. I don't consider null entries to be valid in either field.

Yes, but that then should only require Enter to be pressed once. The report says enter has to be pressed several times so there is something else going on, not just the missing password - looking at a video it rejects it first time but allows it on the second attempt, that is odd behaviour.

A null password is valid - if that is the way you configure the security. It may not be a good idea but that does not make it invalid - for years I ran Windows with a blank password so that it auto logged in at home as I was the only user and nothing on the machine that needed to be secured.

In reply to a post by ian72:

A null password is valid - if that is the way you configure the security.

Accepting what you say, it's a bit of an oxymoron

"" isn't a null entry. (Check your C programming - which is, after all, what these utilities are written in - a pointer to "" is not a null pointer.)

In reply to a post by TinyMongomery:

a pointer to "" is not a null pointer.

Agreed, it isn't- it's a pointer to an empty string.

I just knew you'd take this sub-thread into pointless pedantry

I takes two to tango.

Tango isn't an Apple OS.

In reply to a post by billford:

Tango isn't an Apple OS.

Did you Google it?

Not an OS, but it takes two to use it. https://itunes.apple.com/us/app/tango-video-call-cha...

If other people have access to your computer

Is the important bit (as you know)...

Also, the issue isn't really the absence of a root password per se, since root is not enabled by default on MacOS (and never has been), but that it turns out it is trivially easy to enable it. I suspect Apple made the (obviously erroneous) assumption that only people who knew what they were doing would know how to enable root. So although the workaround is to add a password, that isn't the fix because it should be (but isn't) moot for most users.

This (if I have read correctly - was in a bit of a rush) was found looking for a solution to a different issue - how to reinstate an admin (non-root) account that has been accidentally de-admined.

I'm not convinced that this is a big deal. If you have physical access to an OS X machine you can start it in single user mode and have root access that way. The same is true of most UNIX based systems - with physical access you can easily get root access.

The exception being if the hard disk is encrypted; most systems will the require a password to access it. In that case, even booting with another OS and accessing the disk that way won't work.

I must admit I'd forgotten that root has to be specifically enabled... I've never needed it.

I've always managed with sudo, and (not being particularly proficient at a Unix prompt) I'm very wary even of that

It's a bit ironic that they missed this one but (in Sierra) removed ftp because it was insecure...

Pretty much. An unencrypted system is vulnerable. More at 10.

Fixed.

Available in the App Store, no re-start required.

In reference to www.engadget.com/2017/11/29/apple-fixes-macos-root-access-bug/:

It didn't take long for Apple to patch that nasty macOS High Sierra flaw that let intruders gain full administrator access (aka root) on your system. The company has released Security Update 2017-001, which should prevent people from gaining control over a Mac just by putting "root" in the username and hitting the Return key a few times. Needless to say, you'll want to apply this fix as soon as you can if you're running Apple's latest desktop OS.

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

Edited by micksharpe (Wed 29-Nov-17 17:35:10)

In reply to a post by micksharpe:

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

An alternative interpretation is that MS security is [censored]

It's the first security-only update this year but there have been several general OS updates in 2017. I can't remember if any included security updates as well, they probably did. I can't tell from the update history.


eta- iirc the update from 10.13 to 10.13.1 included the KRACK update, for example.

Edited by billford (Wed 29-Nov-17 17:57:18)

In reply to a post by billford:

An alternative interpretation is that MS security is [censored]

High Sierra is relatively recent.

Contrary to popular belief, security updates are - IMO - a good thing.

Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222

An explanation here of exactly what went wrong: http://www.theregister.co.uk/2017/11/29/apple_macos_...

I have to revise my opinion - this was a bug in the OS, not just a misconfiguration of the defaults.

In reply to a post by micksharpe:

If this is the first security update that Apple have issued this year, macOS must be really secure. Microsoft keep issuing them all the time.

I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!

In reply to a post by TinyMongomery:

Fortunately, Apple issue quite a few security updates. https://support.apple.com/en-gb/HT201222

From TM's Link:- for iOS-11 (which was initially released at the end of September), there have ALREADY been 6 Security Updates!!

Not quite up to Microsoft's "Every-Week", but nearly!!

In reply to a post by Jay_Jay:

I don't know about macOS, but Apple are obviously responsible for iOS (I have an iPad-Air)!!

All companies get it wrong periodically... OS X Snow Leopard was great, Lion was less highly regarded, Mountain Lion wasn't bad, Mavericks had it's problems I believe, ditto Yosemite (I skipped those two), Sierra seemed OK, I'm not convinced about High Sierra.

Similar for Windows- the upgrade from XP to Vista wasn't universally recommended... that's about when I switched to Macs so can't comment on later versions. Even back in the days of DOS, there was a tendency to skip the even-numbered versions

IOS 11 seems to be another victim of this trait... I've stayed on IOS 10, I'll see what 12 looks like

Even back in the days of DOS, there was a tendency to skip the even-numbered versions

And we all know Microsoft decided to skip the odd number and go straight from 8 to 10.

More likely it was the same reason that there is unlikely to be a Windows 13. And, considering that Windows 7 was one of the most successful versions, I doubt the odd-number explanation.

They might have just been trying to catch up with Apple - now both MacOS and Windows are at version 10.

In reply to a post by ian72:

now both MacOS and Windows are at version 10.

And MacOS is at sub-version 13

Seems the bug fix may have a bug... Link

Maybe they should have gone straight from 10.12 to 10.14

American's are usually very superstitious about 13. Maybe because it is 10.13 they thought they would be ok?

In reply to a post by ian72:

American's are usually very superstitious about 13. Maybe because it is 10.13 they thought they would be ok?

Who knows how American minds work, especially Californian ones?

The problem definitely isn't universal- I can connect to shares OK here, although I haven't tried all possible combinations of all machines (and nor do I intend to!).

That's nothing!

Windows is on sub-version 1703 (or 1709 for cutting-edge users).

In reply to a post by TinyMongomery:

Windows is on sub-version 1703 (or 1709 for cutting-edge users).

Are those "genuine" sub-versions or build numbers?

I'm currently on MacOS 10.13.1, build number 17B1002. The 17B suggests that the numbering system may have started with MacOS 1, whatever that was

The current build number is 15063.729.

In reply to a post by TinyMongomery:

The current build number is 15063.729.

Thanks, that's even more cryptic than my MacOS build number

I've been doing a bit of googling and came across this:

In reference to redmondmag.com/blogs/the-schwartz-report/2015/07/windows-10-last-os...:

Windows 10 Will Be the Last Major Microsoft OS Release

I hadn't realised MS were going down that route... so (probably) no Windows 11 and (it wouldn't surprise me) no MacOS 11 either.

Just a series of point releases... should be a good thing. More "evolutionary" and less apps being broken by major OS updates if nothing else!

It's primarily because MS will move to a subscription/cloud service - so you won't see update numbers but it will keep changing. Even if they no longer have major versions they could still have major changes.

In reply to a post by billford:

Just a series of point releases... should be a good thing. More "evolutionary" and less apps being broken by major OS updates if nothing else!

Can't really comment on Apple's releases but, generally, I disagree!!

A major release can be annoying but, when it occurs, you can go through it all & make sure that your Options/Settings are as you wish them to be. Also, if anything outlandish is introduced, there becomes such an outcry that it is soon shelved!

With this "Drip-Feed" approach to updates, various Options/Settings can be subtly changed (or even over-written) without you being aware of them!! Also you no longer get the same level of outcries objecting to outlandish changes!

Didn't I read something, on another Forum, where it was asserted that Microsoft routinely checks if Remote-Telemetry has been disabled &, if it has, it then re-enables it via the "routine" Security Updates??

In reply to a post by TinyMongomery:

Windows is on sub-version 1703 (or 1709 for cutting-edge users).
- Are those "genuine" sub-versions or build numbers?

The Microsoft version numbers are when the major releases are produced: March 2017 (1703) / Sep 2017 (1709)

Next years are likely to be 1803 and 1809