Apple macOS High Sierra Security Flaw: Highlighting A Gap In Enterprise Security


"The latest of those bugs to emerge is about as serious as it gets too; the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to".

He went on to say: "You can access it via System Preferences Users & Groups Click the lock to make changes".

Security experts are still going over the bug, but it can be remotely exploitable, if for instance, screen sharing is enabled on the Mac. The threat is not coming from some hackers sitting behind a virtual curtain, but those who can physically gain access to your unattended Mac.

"This is a very surprising bug that evaded the quality control on MacOS High Sierra. Are you aware of it @Apple?". From the login screen, click "other" next to the main user's account, then enter "root" as the username and leave the password field blank. In short, it is a great threat to owners of Macs until the problem has been resolved. Many security researchers said this was a glaring oversight that Apple should have caught, particularly given its reputation for high standards and a reputation (rightfully or not) for better security than PCs. Anyone can login as "root" with empty password after clicking on login button several times.

Update Wednesday, Nov. 29: Apple has released an update to fix this issue. In a statement to Fortune on Tuesday afternoon, an Apple spokesperson said the company was working on a software update to address the flaw. And that's beside leaving your Mac unattended. To enable the Root User and set a password, please follow the instructions here. Click Login Options, then click Join (or Edit).

Ergin then found that if you pressed "Enter" a number of times it would automatically log you in giving you completely unrestricted access to the machine as well as administrator privileges.

It can reportedly be exploited on an unlocked Mac, bypassing security settings and allowing things such as File Vault encryption and the firewall to be turned off.