Big Apple Flaw Allows Root Access to Macs without Password

深圳证券信息用深信服桌面云打造安全办公体系
Big Apple Flaw Allows Root Access to Macs without PasswordVulnerability affects machines running High Sierra operating system.Mac users and administrators need to be on the lookout for compromised machines after a security researcher disclosed late yesterday a big flaw in Apple’s macOS High Sierra platform that allows for password-less logins to root accounts. Publicly disclosed by software engineer Lemi Orhan Ergin via Twitter, the flaw allows someone with physical access to the machine to log in as “root” by leaving the password field empty in a System Preferences unlock screen.
This could be particularly thorny for enterprise environments where users might walk away from their machines, leaving them unattended, says John Bambenek, threat research manager for Fidelis Cybersecurity.
“Most times when people are outside corporate environments, they’re either using their laptops or they’re in their bag with them,” he says. “In the corporate environment, you leave your stuff at your desk, insiders could easily start enabling local administrator accounts that then they could use to bypass local access controls on the endpoint.”
According to Mike Buckbee, security engineer for Varonis, this flaw provides another reminder that physical access to a machine is still one of the biggest threats to that machine.
“If left for just a few moments in the wrong hands, your device could easily be compromised,” he says.
Bambenek says that this flaw might also help enable laptop theft and that even though there’s nothing found in the wild just yet, it could also potentially fuel phishing campaigns. 
“It’s possible to script and create a working exploit to put into a phishing email or a browser-based lure. I don’t think anyone has fully operationalized this maliciously in the wild yet, but if that did start happening, cleanup becomes more important,” he says. “People will click on dumb things and Mac users have an artificial sense of security.”
申请信息安全管理体系认证的公司应按国家及监管部门要求,加强信息安全管理体系认证安全管理。
Early reports indicate that the issue came because the operating system doesn’t handle a very specific error condition well; if that holds, Bambenek believes Apple will be able to get a patch out fairly quickly. In the interim, Apple has created a guide for users to work around the problem and mitigate the threat. Once the patch is applied, the trick will be figuring out which machines have had root accounts tampered with maliciously.
“Fixing the code seems pretty straightforward, but the cleanup part is hard,” he says. “It’s figuring out what to do with all the machines that may have these accounts created. You can’t reset the passwords because somebody might legitimately have set the root password.”
 
对技术泄漏案件的调查和起诉会越来越多,防范离职员工带走商业技术机密是不可忽视的挑战,信息安全管理,需从技术、管理和员工的知识产权意识培训上入手。

猜您喜欢

第五届科博会创新驱动信息安全产业发展高峰论坛召开
包含灭火器使用等消防设施和器材操作的在线EHS动画培训课程
网络安全法宣传片 002 国家网络安全的现状与重要性概述
韩服复仇新版炼狱9 1分49秒速刷真机械牛
STARPLEX MILIEU-DESIGN
信息安全第一课——丢弃毁坏的U盘