Apple is reported to be urgently working on a software update after Turkish developer Lemi Ergin publicly reported a simple but serious bug in its Mac Operating System.
MacOS High Sierra Affected
The bug was discovered in the most recent version of MacOS High Sierra. It has been reported that, by entering the username “root”, and leaving the password field blank, and hitting the enter key several times, a user is granted unrestricted access to powerful administrator rights on the computer.
Troubleshooting Feature / Serious Threat
Even though Ergin is credited with finding the bug (and has faced criticism for going public about it), it is reported to have actually been mentioned on an Apple support forum more than two weeks ago as a possible useful feature for troubleshooting rather than as a serious security threat.
What Can Be Done?
If a person were to access a computer using the flaw they could potentially read and change the files of other users on the same computer, or as superuser they could delete crucial files or install malware.
Can’t (Typically) Be Done Remotely
The fact that the enter key has to be hit several times means that a person would really need physical access to the computer in order to exploit the bug. If, however, a person has been granted remote access to the computer e.g. for tech support, the bug could technically be exploited that way.
Insider Threat?
A malicious attack or breach from within a company by a person with physical access to computers is a real possibility for businesses and organisations. For example, where ‘malicious’ insider threats are concerned, research (Egress) shows that that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. Insider leaks, breaches, and other threats can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.
Criticism
Other security experts / commentators have been quick to criticise Mr Ergin for apparently not following the responsible disclosure guidelines typically observed by security professionals i.e. notifying Apple of the flaw first, thus giving them a reasonable amount of time to fix it before going public.
Patch On The Way
It has been reported that Apple is working on a software update / fix for the bug, and in the meantime, Apple has offered users a temporary workaround.
What Does This Mean For Your Business?
If your business has Apple Macs with MacOS High Sierra, and if you are too worried to wait for the patch, the workaround allows the Root user to set a password. Instructions for the workaround can be found on the Apple support site here: https://support.apple.com/en-us/HT204012 .
Only last month Apple released a supplemental update for MacOS High Sierra which incorporated various bug fixes for Macs.
This story illustrates how new software / operating systems are often released with bugs in them, many of which are usually discovered by security researchers, but it is worrying that users have been left vulnerable in this case to fairly serious threats by what is a simple (some would say embarrassing) fault.