'Spectacular' Apple Flaw Left Macs Wide Open for Attack
Apple has been forced to fix a major security flaw in the latest edition of the Mac operating system. The fix makes it far easier for a thief to access a computer's files.
The bug is in MacOS High Sierra, which was released two months ago. It's widely used as its compatible with most Mac computers released in the past eight years or so.
The problem is with root access on the system. That's the highest level of access, giving complete control of the computer and even the opportunity to alter key system files. Normally only the most confident users would enable root access (which then acts a little like another user account) and would put a strong password on it.
However, a bug in High Sierra appears to have switched on root access with a blank password. That means it is incredibly simple to get root access on any affected computer in a matter of seconds.
Bug Revelation Controversial
The bug was revealed by Lemi Ergin, a developer from Turkey. That's proven controversial in itself as it appears Ergin didn't inform Apple first and give it a chance to fix the problem. (Source: bbc.co.uk)
For the most part, the bug is only a concern if somebody has physical access to a computer. One exception would be if users had enabled remote access software from a tech support service that turned out to be a scam, and did not keep a close eye on what was happening.
Shortly after the bug was made public, several sources suggested a workaround of actively creating a root account and setting a password. This overrode the default blank password.
Fix Rolling Out Automatically
Fortunately that's no longer necessary as Apple has issued a fix. The update to the operating system can be manually installed via the Mac App Store right away. Apple also started a program of automated updates to all affected computers on Wednesday.
The bug will be hugely embarrassing to Apple given the reputation for Macs being "more secure than PCs." Security experts hotly debate whether that's because of inherent differences in the way they work, or because hackers are more likely to target Windows because the pool of potential victims is significantly bigger.
Apple says that "[they] greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again." (Source: macrumors.com)
What's Your Opinion?
Has Apple done enough to keep users informed about this bug? Was Ergin right to go public if he hadn't put Apple in the picture first? Is this a serious blow to Apple's reputation?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Macs are no more secure than PCs
I'm tired of the "Mac vs PC" debate, so let me put it succinctly. Windows XP was notoriously flawed because every user had administration privileges by default when a program was installed. Windows XP was also wildly successful at the time and there were no smartphones, so they only way most people got online was with a PC running Windows XP. That made it a huge honey pot for cyber scum.
Windows Vista fixed the administration rights flaw with "UAC" (user access control). Flash forward about 9 years and Windows 10 makes things much, much, much more secure than they were. So to say that "Macs are more secure than [today's] PC" is pure baloney - the only reason why you hear less of Macs being "attacked" is simply because most people own Windows PCs because that's where the market (and money) is.
As far as this story goes - operating systems are made by human beings and human beings are not infallible, so you might see a story like this (once in a while) that highlights pretty serious flaws. As long as it's dealt with in a timely manner it should not be a major issue. Of course we may not know the answer to that for months or perhaps years after the fact.