High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net) 30
John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
I don't get why
Wow, now that's one heck of a security feature. I'll bet somebody did this on purpose...
Did somebody's head roll over there at Apple? This should have been an obvious "feature" in the code change that should have been caught by development in a peer review of the code, should have been caught by the test team as an untested new feature, or should have been caught by the build team as an unverified change.
A bunch of folks should be reprimanded for this slipping though.. Do your jobs people!
You are sitting at the computer with physical access, what is the big deal? Does it matter if you have a root password or not?
Well, a little. It lowers the attack requirements from 10 minutes with extra equipment to 10 seconds and your bare hands.
No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)
What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.
Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.
Yes. Apple has what they call FileVault [apple.com] that does whole-disk encryption (minus a boot volume, I think.)
If FileVault is used, Single User Mode as mentioned above requires login credentials.
As part of yesterdays article on Slashdot, when they stated they needed to review how they managed these issues, I had expected that this was probably a known issue, that just somehow failed to get into the right hands. [citation] [slashdot.org]
I think it is mainly a failure in management, then with Apple not caring or ignoring a problem. Just poor escalation management, which can be fixed.
Fire all the testers! Let's be Agile and do DevOps (Score:2)
You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.
Employees that are paid better are harder to bribe. That's not a new thing.
Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.
Apple is paying more attention to Slashdot press than their own support forums?
It's amazing how the empirical evidence on hand belies the essence of your statement as much as your little tantrum exposes the part about it that you can't admit to yourself.
What company cares about their free support forums? Hell even most github project owners won't spend any time on answering question.
Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...
How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.
Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.
Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.
You can bet that any Macs seized by the likes of the FBI won't have had the security patch applied....
It's the most obvious thing (Score:2)
that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.
If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root [objective-see.com]