Apple closes that big root hole – Install this update as soon as possible

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
Yesterday we wrote about a publicly-disclosed problem in Apple’s macOS 10.13, better known as High Sierra.
For reasons that aren’t yet clear, you could trick macOS into letting you authenticate as root – the all-powerful system administration account that you aren’t even supposed to use – with a password of…
…nothing. Blank. Empty. Just press [Enter].
Even though you couldn’t exploit this hole remotely, at least by default, it was an astonishing lapse by Apple.
Sophos Home
Free home computer security software for all the family
Learn More
At first, the Twitter user who publicised this flaw was criticised by some people, who considered his tweet to be “irresponsible disclosure”, because it told the world about a problem that it might have been better to tell Apple about privately first so the hole could be closed and then announced.
But others soon realised that this was not a brand new discovery – indeed, it had been discussed more than two weeks ago on Apple’s on support forum.
Apple’s official policy of saying nothing about security issues until a fix is out meant that there wasn’t much to go on once the news broke, except to assume that the company was frantically coding up a fix…
…and, fortunately that turns out to have been true.
Apple just published HT208315, entitled Security Update 2017-001, patching this very hole.
There isn’t anything in the way of detail in the security bulletin, just a deadpan remark that says:
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
Some logic error! Some improvement!
This is the first time we’ve seen the App Store tagging an update as bluntly as this:
Install this update as soon as possible.
No by your leave or if you please – just a simple and unambiguous imperative: install this update.
We agree, and while we’re about it, well done to Apple for acting fast.
Maybe the “irresponsible disclosure” served its purpose after all?
Note. To get the update or to check if it’s already installed, go to the Apple Menu (top left hand corner of the screen) and choose About This Mac, press the [Software Update…] button and then click on the Updates icon on the top of the App Store window that appears. (That’s the window you can see in the screenshot above.)


网络安全法宣传片 002 国家网络安全的现状与重要性概述