A nasty bug was found in macOS 10.13 High Sierra \u2014 it was possible to cause the root account to become enabled, and to do so with a blank password.<\/p>\n
To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and <\/p>\n By default this bug requires physical access, but if you enabled screen sharing it can be triggered remotely. Also, if you enable SSH then once the bug has been triggered anyone can get command-line Another default setting that compounded this bug was guest access \u2014 you can trigger this bug from the guest account!<\/p>\n When the news broke, Apple were very quick to fix the bug, so, initially, Apple looked to have responded very promptly, but, alas, reporters soon found mentions of the bug in the Apple support forums from weeks back. Personally, I think that should have triggered alarm bells within Apple, and this should have been fixed before it became major news.<\/p>\n Once the news broke Apple responded very quickly, and for only the second time ever, they used their ability to automatically push updates to users automatically. This meant that without any user action, most affected Macs were quickly patched.<\/p>\n That patch was not without some issues though.<\/p>\n Firstly, the current version of High Sierra at the time the news broke was 10.13.1 (and this bug only ever affected High Sierra, never older versions of the OS). If a user was running 10.13.0 when the automated update was applied, and if they then updated to 10.13.1, their computers became vulnerable again! However, just a few days after the quick-fix Apple released 10.13.2, and that has the fix baked in, so if you’re not sure whether or not you are safe, all you have to do is be sure you’re on macOS 10.13.2 or later.<\/p>\n Secondly, the quick-fix broke some sharing features. Apple released a support document with instructions for fixing that issue though, and, the issue was also fixed by 10.13.2.<\/p>\n All in all this was a very embarrassing bug for Apple. To their credit they did apologise, and, they announced that they will be auditing their security practices. I would have liked more detail, but that may come later.<\/p>\n One of the cool features in HomeKit is that you can share access to your devices with others, presumably friends and family.<\/p>\n If you use this feature, and if you upgraded to iOS 11, then your HomeKit devices could have been accessed by anyone, not just the people you intended to share access with. When you bear in mind that there are HomeKit enabled smart door locks and cameras, that starts to sound like a very serious issue indeed!<\/p>\n Thankfully this problem was responsibly disclosed to Apple, to took action to protect users before the researchers published their findings.<\/p>\n Apple’s initial quick-fix was done on the back-end, so no action was needed by users. A part of that quick-fix was the disabling of some sharing functionality, which seems like a perfectly reasonable trade-off.<\/p>\n Apple have promised a full fix, and restoration of the disabled services next week, so keep an eye out for an iOS update if you’re affected by this temporary loss of functionality.<\/p>\n If you back up your iOS devices via iTunes, and if you encrypt those backups, then, and only then, are you affected by a subtle change that Apple made to how those backups are encrypted. The change was made as part of the iOS 11 update.<\/p>\n Previously, iTunes backups were encrypted with a completely stand-alone password, and if you lost that password, your backup could never be decrypted.<\/p>\n What has changed is that there are now two ways to decrypt encrypted iTunes backups \u2014 the stand-alone password as before, and, via the iOS device itself assuming you have the devices pass code.<\/p>\n Security Medium 1 \u2014 macOS High Sierra Root Bug A nasty bug was found in macOS 10.13 High Sierra \u2014 it was possible to cause the root account to become enabled, and to do so with a blank password. To trigger this bug all you had to do was go into the control panel, click […]<\/p>\n","protected":false},"author":4,"featured_media":13191,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[776,2031,126,2033,1104,114,2032,50,569,13],"class_list":["post-13724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-encryption","tag-high-sierra","tag-ios","tag-ios-backup-encryption","tag-macos","tag-privacy","tag-root","tag-security","tag-security-bits","tag-windows"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2017\/10\/security_bits_logo_300px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=13724"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13724\/revisions"}],"predecessor-version":[{"id":13726,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13724\/revisions\/13726"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/13191"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=13724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=13724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=13724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}root<\/code> with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root<\/code>.<\/p>\nroot<\/code> access remote.<\/p>\nLinks<\/h4>\n
\n
Security Medium 2 \u2014 Apple fix HomeKit Sharing Bug in iOS 11<\/h3>\n
Links<\/h4>\n
\n
Security Medium 3 \u2014 A Subtle Change in iOS Backup Encryption<\/h3>\n
Links<\/h4>\n
\n
Notable Security Updates<\/h3>\n
\n
\n
\n
Notable News<\/h3>\n
\n
Suggested Reading<\/h3>\n
\n
\n
\n
\n
\n
\n
Palate Cleansers<\/h3>\n
\n