Attn Mac High Sierra (OS X 10.13) users: major vulnerability exposed today -- protect yourself by setting a root password


#1

This is blowing up across the Interwebs. If you’re using OS X 10.13, make sure you set a root password on your device.

For bonus rage, check out the comments on the original tweet:

… with people blaming this guy for not following “proper disclosure channels” before tweeting about this.


#2

A public tweet sure as hell isnt proper disclosure.


#3

If he had followed proper disclosure channels, they would have sued him into silence and maybe sooner or later gotten around to a fix. (Probably later, tbh. And probably with a description that masks the nature of the issue, if the '06 wifi exploit was any indicator)


#4

I would definitely prefer to not have been left in the dark about something as severe and easy to exploit as this. Disclosure be damned.


#5

Ignoring the hyperbole about suing him (Apple routinely works with folks on security releases) one of the points of responsible security releases is to ensure that there is a fix in place before disclosure. As someone responsible for actual systems in the wild targeted by very many asshats I welcome responsible disclosure for not giving every script kiddie in the world an option to break things for lulz.


#6

No hyperbole here. I knew the guy who developed the wifi exploit in '06. He gave them the code, they lied and said there was no exploit, threatened to sue him if he released too much info (spoken with the other side of their mouth), then released a fix that they insisted was not related, but in looking into his report found something different. (While buried in the patch notes, was a description of exactly the thing he found in the first place)


#7

And of course, nothing at all has changed in the intervening 12 years.


#8

Let’s just say I’m skeptical. The company I worked for 12 years ago is still doing all the shady things today that they were then.


#9

I get it. Skepticism is healthy.

Here’s the page Apple uses to credit responsible disclosure in, for example, their web front ends;

Here’s Apple’s policy:

A lot of this infrastructure surrounding security didn’t exist (or didn’t exist at this level of robustness) in 2006. Thankfully, the combination of the world moving forward combined with many hundreds of millions of IOS devices out there has helped in that regard, IMHO.


#10

Courtesy of Jedakiah on the Arstechnica discussion of the subject:

A helpful fellow on the Apple forums presenting this as a solution to losing your admin login on November 13th.

Unless this helpful and apparently heedless of the darker implications person was the only one to have stumbled across it; I suspect that the cat was not only out of the bag; but out of the bag and busy planting a keylogger and a lifelike replica cat in the bag for the next time someone checks on the cat/bag status some time ago.


#11

Responsible disclosure is great for many things.

This on the other hand is such an unfathomably stupid bug Apple deserves some embarrassment over it.


#12

Maybe you aren’t someone who has to deal with the consequences of these sorts of things?


#13

Sure, I have on numerous occasions.

This isn’t an obscure elevation of privilege, weakness in cryptography, exposed secret, or remote code execution. This is a mind bogglingly stupid issue that’s user serviceable and it appears this was already known. I’m all for shining a brighter spotlight on this.


#14

As someone who deals with problems related or otherwise, how difficult would a fix to something like this be? For a site like this or otherwise


#15

Well, in this case the fix is fairly trivial (adding root passwords, though thankfully that’s part of good systems policy 101), but in the general sense of what would have to be done - if there were an external service affected by a “0-day” vulnerability like this, without a fix, you’d have to lock it down as best you could:

  1. remove from public access entirely - if you can’t do this then
  2. lock down access to the bare minimum of IPs that should be able to access it, or
  3. otherwise harden the systems so that if they do become compromised, you can rebuild them easily while also
  4. ensuring that compromised systems have no further access to the internal network itself.

Of course, in the abstract most of that doesn’t mean much, and I can’t think of a remotely-exploitable issue that was so egregious you ever really got past step 2 above. Part of that, though, is because it’s been a long time since someone released information about a vulnerability like this into the wild that wasn’t done with responsible disclosure in mind in the first place. :slight_smile:


#16

it’s not the login window. It’s what I’d call the “privilege escalation” dialog, but I’m not sure what Apple calls it.


#17

Supposedly it works from the login window as well.

Thankfully it isn’t, which is part of why I’m not up in arms about how this was disclosed.


#18

Not in my experience.

You know what would help drive the point home? Video.


#19

Yeah, you’re right. It seems to be confined to that elevation dialog. (Still doesn’t discount the severity of the issue, though!)


#20

aaaand fixed: