Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




754 posts

Ultimate Geek
+1 received by user: 202


Topic # 225660 29-Nov-2017 10:22
Send private message

So it looks like a glaring and brutal flaw has been exposed in High Sierra which allows root access with a blank password.

 

 

 

https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

 

https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

 

 

 

Anyone running High Sierra should address this ASAP to secure their Apple computer...

 

Someone will be getting fired for this one surely!





.

Create new topic
747 posts

Ultimate Geek
+1 received by user: 133

Trusted

  Reply # 1909392 29-Nov-2017 10:24
Send private message

Just tried it on my MacBook. Works as intended.

 

FileVault should mitigate this partially if the machine is off, but still not good. I'd imagine actually setting a password on the root account would also solve this (but my work machine is still on 10.12 so can't confirm).





 


62 posts

Master Geek
+1 received by user: 19


  Reply # 1909393 29-Nov-2017 10:25
Send private message

Yeah this is a big one. Hopefully patched quickly. 

 

Haven't upgraded to HS yet because the new file system doesn't support Fusion Drives yet.

 

Guess it's good I waited.


 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
62 posts

Master Geek
+1 received by user: 19


  Reply # 1909394 29-Nov-2017 10:26
Send private message

As a side note, does anyone know if this vulnerability can be exploited by an application? I think to be safe, I'd advise holding off installing or upgrading *anything* until it is patched.


62 posts

Master Geek
+1 received by user: 19


  Reply # 1909466 29-Nov-2017 11:53
One person supports this post
Send private message

Just as a follow up, some are recommending setting a 'root' password as an interim measure. Although the argument is that this is actually less secure as there should be no root account at all.

 

https://news.ycombinator.com/item?id=15800676

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Opera launches new mobile browser: Opera Touch
Posted 25-Apr-2018 20:45


TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.