News is emerging about a flaw in MacOS High Sierra which allows hackers to gain access to machines without a password and gain coveted admin rights. IT security experts commented below.
Lee Munson, Security Researcher at Comparitech.com:
“It wasn’t that long ago that Apple was winning the desktop security space by a large margin, primarily through the advantage of obscurity versus its Windows competition.
“Times have changed though and we can no longer say that Macs don’t get viruses and nor can we say that they are immune to potentially very serious bugs either.
“The latest of those bugs to emerge is about as serious as it gets too; the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to.
“Of course, this is all mitigated by the fact that remote access can only be gained if the bug is first leveraged through physical access to the device, so home users have very little to worry about and businesses should also be okay, as long as they are on top of access control and visitor policies.
“Even so, all Mac owners would be well advised to install the resultant patch, just as soon as it becomes available.”
Peter Havens, Director of Product Management at Centrify:
A major security flaw in Apple High Sierra allows anyone to login to a Mac by simply typing in the user “root” and hitting the enter key a few times. This simple action gives complete superuser access rights to the system exposing all user data.
Moreover, the Apple root bug can be used to login through the login screen or the screen saver lock screen for Active Directory (AD) joined Macs — this is much more significant than the originally reported issue because it allows an admin to elevate privileges by unlocking system preferences. In addition, if a Mac user has “screen sharing” enabled, perhaps from a previous IT support issue, the root login can be used to remotely view the users screen without them knowing, or login remotely.
While there is a simple workaround (create a user by the name of “root” and set a unique and complex password) and Apple is sure to address this gaping hole quickly, it highlights a fundamental but ignored gap in enterprise security.
For many companies, the practice of reusing the same local admin password for every endpoint, and rarely, if ever, changing it continues to be common practice. If that password becomes exposed through phishing or credential theft then the attacker has unfettered access to every endpoint in the organisation. All local admin accounts (including the root account on Macs) should have unique passwords that are randomly created and regularly rotated. An easy way to accomplish this is through the use of local admin password management (LAPM) solution. With a LAPM, authorised users can check out the local admin password for remote management or to temporarily grant admin rights to the device’s primary user.