As regular readers of this missive will be fully aware, many of us around these parts are, to varying degrees of devotion, disciples of the sacred orchard that is Apple.
As with most faiths, this almost blind worship to the Church of Jobs (may he Rest In Peace) has to be tested to be meaningful, otherwise it would be fact not belief wouldn’t it? What is the point in that?
And so people, it has come to pass that the almighty ones have dropped what in biblical terms can only be called an almighty clanger.
It transpires that a feature (ok, it’s a bug) in the latest release of macOS High Sierra means that a user of a machine can simply enter the username ‘root’, which as you will know is the Unix superuser, with no password and be elevated to God-like status. Whoops.
News of this unacceptable oversight spread like wildfire and Apple released a patch within 24 hours, which is much faster than prior updates which have been known to be closer to seven months.
Obviously this is a serious issue; however there have been no reports of, or indication that this vulnerability can be exploited remotely. Since this requires hands on access to the device it has to be considered in the same context as any physical security bypass, such as rebooting in single-user mode and changing access credentials etc.
Our advice is the usual – update your holy device. Be very careful should you leave any mobile device out of sight, obvs.
In a more encouraging turn of events, this week saw the tables turned on Ransomware scumbags by the shipping outfit Clarksons. Having been held to ransom by the people who compete with recruitment ‘professionals’ to occupy the filth ridden depths, Clarksons confessed all publicly and are working with the police to investigate the incident.
We have always been advocates for a planned response to breaches. This has been handled superbly by the management of Clarksons. Hats off to them.
If you would like to know more about the Apple vulnerability, simply try the username root with no password. If that doesn’t work and you would like to talk about information security, please contact us at: [email protected] or call 0207 517 3900.
P.S. If you hear a cackling noise over the next few days it will be Messrs Gates, Allen and Ballmer crying with laughter.
One Response
Hi Kevin,
Could this be a public relations friendly way of giving the US feds what they want in terms of an all access pass to locked devices? – I’m not an Apple fanboi but can you selectively expose a device to a ‘the magic update’, prevent the subsequent patch installation and take control of the root account?
Comments are closed.