I’ve been an Apple users from my very first Macintosh in the 1980s. It’s nearly become a religion. And, as with most religions, it’s created a degree of blind faith on my part. Some of this is clearly habit, but much of it is based on my trust of the Apple brand, which has been less susceptible to cyberattacks, stable, and very reliable. That’s one of the benefits of creating a walled garden where you have control over who you let in.
However, I admit to often waiting on upgrading to a new operating system to avoid any bugs that may still need to be worked out. At the same time I realize that this could expose my mac to known security vulnerabilities.
So, I finally broke from habit a few weeks back and upgraded to High Sierra to make sure my Mac was up to date.
Which is why I was absolutely blown away by a vulnerability that was just uncovered in that shiny new OS; a vulnerability that’s the equivalent of leaving home with the front door wide open and a welcome sign posted in the driveway.
According to an article in The Register, which I verified on several of my own Macs running the latest OS, High Sierra, if you have physical access or remote access to a Mac you can effortlessly log in as an admin gaining total control over the machine.
All someone with physical or remote access to your Mac has to do is prompt an action that requires admin privileges. For example, changing user security levels. The dialog box that comes up when doing this asks for a username and password. This level of access frightens me so much that the combination of username and password I’ve set is a jumbled mess of more than 40 characters.
Here’s the problem. Once the dialog box appears all you have to do is enter “root” as the username, leave the password blank, hit unlock a few times, and you’re logged in as an admin! No backdoors, no obscure code level hacks, no social engineering, nothing even remotely devious.
I immediately tried this and stared in disbelief as my MacBook welcomed me into its inner sanctum. Even Apple’s FileVault encryption feature was now useless in protecting my files.
There is a fix that you can see here. If you use a Mac do it now!
The degree of vulnerability this bug creates and the simple fact that something so blatant made it into a final release of Apple’s OS is nothing short of dumbfounding.
It’s a stark reminder that when it comes to cyber security no company is immune, no defense is good enough, no wall high enough, especially when you leave the front door wide open.