MacOS Bug Allows For Astonishingly Simple Access to Your Computer
By: Jim Stickley and Tina Davis
November 30, 2017
If you ever wanted a particular vulnerability handed to you on a silver platter, Apple has done just that with its latest update to the operating system, MacOS High Sierra. There’s no fancy handiwork or extraordinary hacking skills necessary to exploit this one. That’s what makes it so shocking to the cybersecurity community. It takes nothing more than the ability to use a keyboard and type four characters into the user field upon login.
Security researchers discovered a neat little bug that only requires typing the word “root” as the user and magically, the computer will unlock.
What can be done with this is quite disturbing. Not only can someone who may have physical access to the computer just log in and do whatever he or she wants to (root access grants the highest privileges), but it could also be exploited by malware. And malware can get there remotely. No need for someone to have the machine nearby. A phishing email message will do the trick.
Apple has indeed fixed this issue already. It took a mere 18 hours for the company to release it, which is commendable. So, if you haven’t received a notification that an update is ready, manually check by going into the App Store on the device and clicking the “updates” icon. Then install it right away.
In addition, watch for phishing email messages. This is ridiculously easy for bad actors to exploit, so it’s not unrealistic to expect some to give it a go. Don’t click on links or attachments in email message, especially if you are not expecting anything. This is a good rule of thumb at all times.
While you’re working on that update, install some anti-virus software on the computer as well. This will help detect malware as it comes through. It won’t catch everything, but it is a very good, easy, and inexpensive defense against threats.
This is not the first bug in Apple’s High Sierra operating system. An earlier one allowed malicious code to steal the keychain contents without a password. Another one showed the user password as the password hint when trying to unlock an encryption partition on the machine. It isn’t likely this one will be the last vulnerability in an Apple update, but as long as you keep applying updates and avoid falling for phishing, you’re most certainly on the right track to protecting your computer and your information.