Apple closes that big root hole – Install this update as soon as possible

Share on Twitter
Share on Google+
Share on LinkedIn
总有人抱怨说国内的商业环境尤其是信任问题导致安全外包产业受阻,的确,要改变人们对安全就是上系统设备的错误认知需要一些时间。
Share on Reddit
Yesterday we wrote about a publicly-disclosed problem in Apple’s macOS 10.13, better known as High Sierra.
For reasons that aren’t yet clear, you could trick macOS into letting you authenticate as root – the all-powerful system administration account that you aren’t even supposed to use – with a password of…
…nothing. Blank. Empty. Just press [Enter].
Even though you couldn’t exploit this hole remotely, at least by default, it was an astonishing lapse by Apple.
Sophos Home
Free home computer security software for all the family
Learn More
At first, the Twitter user who publicised this flaw was criticised by some people, who considered his tweet to be “irresponsible disclosure”, because it told the world about a problem that it might have been better to tell Apple about privately first so the hole could be closed and then announced.
But others soon realised that this was not a brand new discovery – indeed, it had been discussed more than two weeks ago on Apple’s on support forum.
Apple’s official policy of saying nothing about security issues until a fix is out meant that there wasn’t much to go on once the news broke, except to assume that the company was frantically coding up a fix…
…and, fortunately that turns out to have been true.
Apple just published HT208315, entitled Security Update 2017-001, patching this very hole.
There isn’t anything in the way of detail in the security bulletin, just a deadpan remark that says:
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
Some logic error! Some improvement!
This is the first time we’ve seen the App Store tagging an update as bluntly as this:
Install this update as soon as possible.
美国网络安全专家:苹果用户也会受到勒索病毒攻击
No by your leave or if you please – just a simple and unambiguous imperative: install this update.
We agree, and while we’re about it, well done to Apple for acting fast.
Maybe the “irresponsible disclosure” served its purpose after all?
Note. To get the update or to check if it’s already installed, go to the Apple Menu (top left hand corner of the screen) and choose About This Mac, press the [Software Update…] button and then click on the Updates icon on the top of the App Store window that appears. (That’s the window you can see in the screenshot above.)
国内的信息安全外包产业比较落后,表面看起来可能是商业环境如信任问题引起的,这些问题可以通过法律合约来解决,实际上重要的是人们对安全服务的认识不够,以为网络安全就是配置系统设备,而我们渐渐明白,运维才是主要工作。

猜您喜欢

河南通信管理局开展网络与信息安全和汛期通信保障等专项检查
网络安全公益短片社交网络安全基础
网络安全法宣传片 002 国家网络安全的现状与重要性概述
99%的上海人都不知道的交通卡充值新姿势!
INSTYLEDIRECT IONPRIBEAGU
信息安全意识培训游戏之安全防御战