Apple hit major embarrassment when a Turkish developer known as Lemi Ergin noticed a major security flaw in their newest Mac operating system, MacOS High Sierra.
Though Mr. Ergin is getting criticized for not following normal disclosure guidelines typically observed by security professionals after finding the bug, Apple is left red-faced by it.
Normally security analysts are supposed to give the company notification first, allowing them some time to fix the bug before going public with it. But the Turkish developer decided to go for glory instead and notified the world at the same time as he notified Apple.
Mr. Ergin found that by entering the username "root" and then leaving the password field blank, he would just need to hit "enter" a few times before being granted unrestricted access to the target machine.
The timing of the security risk presents a major issue for Apple that now has to put in place a fix before the vulnerability can be exploited by criminals very rapidly.
Given that root users can do more than normal users, the bug found is in fact remarkably simple and was described by other security experts as a "howler" and "embarrassing."
Professor Alan Woodward from the University of Surrey commented: "Haste and security don’t make good bedfellows. They will need to be careful the patch doesn’t introduce some other problem as they’ve not had time to properly test it."
Apple claimed it was working on a fix as soon as the bug was reported and offered a workaround for users concerned about it.
“Setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.”
"If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Source:
https://www.telegraaf.nl/nieuws/1365652/beveiligingslek-in-besturingssysteem-apple
Jesus Crust.
That's more than major.
Are they hiring gay frogs to do their programming?
What's wrong with the Unix login?