Вторник, 12 Декабря 2017
Latest news
Main » Huge macOS Bug Allows Root Login Without a Password. Here's the Fix

Huge macOS Bug Allows Root Login Without a Password. Here's the Fix

29 Ноября 2017

According to The Verge, one way to thwart this low likelihood but high impact vulnerability is to change the root account password on your Mac. Press Return or click the Unlock button a few times - I've seen it both accept on the first try and require a couple of additional tries. Lemi Orhan Ergin, the founder of Software Craftsmanship Turkey, discovered the security flaw and tweeted it out to Apple Support on Tuesday. A spokesperson for Apple was not immediately available for comment. It can also be used at the login screen of a locked Mac to unlock the machine and gain full administrative access.

A demonstration of the security flaw. Those running previous versions of MacOS including Sierra and Yosemite do not appear to be affected by the bug.

The exploit can be run in System Preferences.

Choose Apple menu System Preferences, then click Users & Groups (or Accounts).

Читайте также: Nancy Pelosi calls John Conyers an 'icon,' and social media is livid

Disabling the root account in the open directory utility tool does not work, as the root account becomes re-enabled when entered into the user name field on login. But The Verge offered a solution: Create a new system administrator password.

Let's make this clear: this is a huge mistake on Apple's part, even if there's a relatively simple fix.

In the dialog that pops up, click on open directory utility, and from the tool's menubar, select the edit item, and then change root password.

"A password prompt that authenticates as root with an empty password would be a black eye for any OS". (The company maintains an invite-only bug bounty program.) Despite its incredibly alarming simplicity, The Verge is not reproducing the steps to bypass High Sierra's login screen here. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password.

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2017 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог

Huge macOS Bug Allows Root Login Without a Password. Here's the Fix