Update: Apparently if you are running macOS 10.13 and apply the patch to fix the root problem and then upgrade to 10.13.1, that patch gets undone, so you have to reapply the patch. In addition, the patch does not take effect unless you reboot. Just another bit of the mess.
The Mac OS has generally been considered a secure operating system, but lately Apple has been trying to imitate their friends from Redmond and not in a good way.
The first MacOS bug found recently is a new bug. Linux and Unix administrator accounts are called ROOT, unlike Windows and other operating systems which call the account ADMIN or ADMINISTRATOR. Apparently in the current version of MacOS, High Sierra, if you entered the user name of ROOT with no password, you got an error message, but if you entered it a second time with no password, it let you in with full administrative permissions.
Initially, people thought that this exploit required that you have local access to the computer, but it turned out that if you had remote access turned on as many or most corporate computers do, the attack would work remotely as well.
Apparently the OS detected there was no ROOT account and created one with no password. The quick fix was to create a ROOT account with a complex password.
Apple quickly created a fix that was automatically and silently installed (I guess that is both good and bad), but that fix broke some other things and Apple had to release a fix to the fix. That second fix had to be manually installed and required some advanced gyrations on the part of the user.
The good news was that Apple was able to fix the bug quickly once they were told about it. The bad news is that if a user’s PC was compromised before the installed the patch – which statistically is possible but unlikely – then the only solution is to wipe the disk and start over.
But this was only the start of last month’s problems for Apple.
The second MacOS bug, which also granted users unlimited ROOT access had been around for at least a decade (sound like Windows again?), maybe two decades. or more.
The person who found it was neither a professional hacker nor a professional security researcher, but rather a self titled hobbyist. This means that other people (and not the well intentioned ones) could have known about it for 20 years or more.
The bug was in the IOHIDF family of software. This software has been a problem child in the past. The hobbyist who discovered it released a proof of concept for all of the hackers to follow at the same time he announced the bug.
As of 17 hours ago, Apple had yet to comment on it, but I assume that their engineers are busy working on how to fix it.
Right now it counts as an 0-day, and a nasty one. 0-days are bugs that were not (publicly) known about prior to the announcement. Except that in this case, it was probably known about by others, such as the Chinese, Russians or American spies and possibly exploited – maybe for many years.
For a while, Apple computers seemed to be immune to bugs. I don’t think that is necessarily because the software is super secure, but rather because it is a niche player with a small market share (less than 8 percent according to NetMarketShare). As other operating systems were attacked and started fixing bugs, MacOS became the next target of opportunity.
So, in this case, one bug is fixed, albeit a bit bumpily and the other is still open.
Happy New Year Mac users!
Information for this post came from CNet, The Guardian and BetaNews.