A day after a developer revealed a root access flaw in macOS High Sierra version 10.13.1, Apple released an emergency patch, which it plans to push out today.
“This is absolutely a ‘drop everything and fix it' moment for Apple,” said Tim Erlin, vice president, product management and strategy, at Tripwire.
"While it's good that a patch is now available, it is an old way to approach the larger issue of network security. A patch, which may or may not be applied in a timely way, is reactive,” said Christopher Day, CSO at Cyxteria. “We need more proactive tools for protecting networks from illegitimate users.”
Noting that “authentication is not a binary action,” Day said, “credentials alone shouldn't be enough to gain network access.”
Developer Lemi Orhan Ergin's Tuesday reveal exposed the potentially dangerous flaw, which would allow just about anyone to take over a system and gain administrative rights. “This vulnerability requires no skill to exploit and provides complete access to the affected systems,” said Erlin.
But the security pro who discovered the bug caught some heat for the way the it was disclosed. “We noticed a *HUGE* security issue at MacOS High Sierra,” Ergin tweeted Tuesday, explaining that logging in was a simple as typing “root” in the name field while leaving the password field empty.
“Failing to follow responsible disclosure guidelines puts everyone at greater risk,” said Erlin. “Public disclosure like this, especially with a major vulnerability, ensures the widest possible distribution of the information among malicious attackers, and instills a sense of urgency to attack before a patch is available.”
Erlin said: “Organisations should step up monitoring of their Mac systems for root login activity as a mitigating control while they apply the recommended workaround.”
Craig Young, a Tripwire computer security researcher, noted that Apple has had a number of security issues. “Recent years have not been good for anyone relying on OS X for security. Already in 2017, researchers revealed flaws allowing an attacker to extract passwords from the keychain (CVE-2017-7150), from APFS encrypted volumes (CVE-2017-7149), and from WiFi captive portals (CVE-2017-7143),” he said. “In 2016, researchers also demonstrated the ability to discover FileVault 2 encryption passwords through a crafted Thunderbolt device (CVE-2016-7585) as well as some other password mishandling bugs (CVE-2016-4670 and CVE-2016-1851, for example). The OS X kernel's security model was also effectively broken last year when Google Project Zero researcher, Ian Beer, described a new class of OS X bug allowing dozens of vectors for privilege escalation.”
The company should “seriously re-evaluate how they perform quality assurance testing as there is really no excuse for releasing macOS with some of these blatant security failings,” said Young. “Looking at the history of macOS releases tells a pretty interesting story about the kind of quality coming out of Cupertino recently.”
For the last couple of years after Apple has released a major update for their operating system in September, the company “has had to follow-up the major release with a quick succession of fixes for issues detected after launch,” said Young. “In fact, this is the third year in a row where it looks like Apple will have three versions of their OS released before the end of the year. Some of these were because of buggy behaviour, while others were due to gaping security holes like revealing the actual password in a password hint field.”