Yesterday, like every day, all seemed well at the House of Apple. Servers were humming away at optimal capacity. A sophisticated suite of security products was keeping evil mustache-twirlers at bay. But suddenly, this massive redwood tree was jolted out of its clockwork perfection by a stray, humble root.
A trivial flaw with potentially devastating effects was unearthed by security researchers in the macOS High Sierra (10.13) that allowed users to gain admin rights to a system without a password. Here’s a quick primer on what the flaw is, the devastating effects it can have, and what you can do to curtail these effects.
The Bug Explained
On the High Sierra’s user login page, if you click ‘other’ instead of your designated account, the system asks you for authentication details. Here, just type ‘root’ in the username, leave the password blank, and press enter. A prompt appears, which can be dispatched by clicking on unlock a couple of times. And that’s it. The system will log you in with full admin rights.
And it’s not just the user login screen where this bug manifests itself. If you try changing the security and privacy settings with your newly gained root access, the authentication prompt that pops up can be taken care of using the same root/no password combination.
Another deadly permutation of this bug misuses Apple’s Screen Sharing feature. Screen Sharing is a collaboration option that lets Mac users remotely work on other Mac users’ systems, finding important uses in project management and IT administration. By exploiting the root access bug, users can log into the root accounts of other users’ Mac systems and potentially wreak havoc.
We tested the Screen Sharing misuse multiple times, and were always able to log into other systems’ root accounts. A sample video is given below:
Listing Potential Risks
So, what ramifications can this root access bug have on the personal and professional information of Mac users? A serious, sobering list of ramifications, it turns out.
Leaving your device unattended can lead to disaster: Since anyone using the root access bug can enter your system, you can potentially find your password changed, firewalls turned off, and a mountain of malware installed on your laptop by the time you return from that coffee break.
Taking your laptop to Starbucks won’t be much better: If you make the mistake of connecting to public wi-fi, any other Mac user can use Screen Sharing to log into your root account and cause all manner of mischief without you getting a single alert about it.
Many security response processes can now be bypassed: Malware and ransomware usually rely on vectors like emails and malicious websites and enter the target network only when a human is tricked into clicking those links. Consequently, many security response workflows focus on spotting these malicious vectors, monitoring irreputable IPs and URLs, and training employees on security awareness.
But using the root access bug can allow attackers to bypass the entire mail-and-website dance used to entice unsuspecting targets. Attackers can now directly install malicious executable files on your system and ring the death knell without a single alarm bell going off.
Temporary Plug For The Bug
Apple has already moved to publish a guide on short-term fixes to the problem. If you enable the root account yourself and set a password for it, the no-password bypass will no longer happen. Alternatively, you can also set a new password and disable your root account. In either case, a user-defined root password is needed.
For IT administrators in charge of multiple employee accounts, this can be a taxing and patience-sapping exercise. If you don’t want to get caught in endless mail chains and employee follow ups – or if you’re just unsure how to go about setting the root password – you may want to use RootProtector, something we at Demisto spun up as monitors flickered in the night.
RootProtector is a downloadable executable file that will take you through the password-setting process for the root account. To run the file, right click it, select ‘Open’, and then ‘Continue’ when the prompt shows up:
For an added layer of security and verification, you’ll now have to enter the password for your user account.
Once you’re verified, you can either choose to set a new password for the root account or set your existing user password as your root password.
And that’s all. A simple fix for a problem that could quickly have gotten out of hand. If you’re interested in downloading RootProtector, click below.
In any case, make sure your root account has a password and doesn’t turn into Pandora’s Box for you and your organization! Also be sure to install any patches or updates as they become available.
Note: Apple has issued a software update to fix the problem on 11/29/2017, 11:30am EST. Nonetheless, take care to set your root password!