Apple is reported to have released an urgent software update on Wednesday, days after Turkish developer Lemi Ergin publicly reported a simple but serious bug in its Mac Operating System.
MacOS High Sierra Affected
The bug was discovered in the most recent version of MacOS High Sierra. It has been reported that, by entering the username “root”, and leaving the password field blank, and hitting the enter key several times, a user is granted unrestricted access to powerful administrator rights on the computer.
Troubleshooting Feature / Serious Threat
Even though Ergin is credited with finding the bug (and has faced criticism for going public about it), it is reported to have actually been mentioned on an Apple support forum more than two weeks ago as a possible useful feature for troubleshooting rather than as a serious security threat.
What Can Be Done?
If a person were to access a computer using the flaw they could potentially read and change the files of other users on the same computer, or as superuser they could delete crucial files or install malware.
Can’t (Typically) Be Done Remotely
The fact that the enter key has to be hit several times means that a person would really need physical access to the computer in order to exploit the bug. If, however, a person has been granted remote access to the computer e.g. for tech support, the bug could technically be exploited that way.
A malicious attack or breach from within a company by a person with physical access to computers is a real possibility for businesses and organisations. For example, where ‘malicious’ insider threats are concerned, research (Egress) shows that that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. Insider leaks, breaches, and other threats can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.
Other security experts / commentators have been quick to criticise Mr Ergin for apparently not following the responsible disclosure guidelines typically observed by security professionals i.e. notifying Apple of the flaw first, thus giving them a reasonable amount of time to fix it before going public.
Patch Released On Wednesday
It has been reported that Apple released an urgent, automatic software update on Wednesday to fix the bug. Prior to this, Apple had offered users a temporary workaround.
What Does This Mean For Your Business?
If your business has Apple Macs with MacOS High Sierra, you may have already used the workaround that allows the Root user to set a password. Instructions for the workaround can be found on the Apple support site here: https://support.apple.com/en-us/HT204012 . After several days of work on the problem, Apple finally released an automatic software update on Wednesday.
Only last month Apple released a supplemental update for MacOS High Sierra which incorporated various bug fixes for Macs.
This story illustrates how new software / operating systems are often released with bugs in them, many of which are usually discovered by security researchers, but it is worrying that users have been left vulnerable in this case to fairly serious threats by what is a simple (some would say embarrassing) fault.