Apple MacOS High Sierra Root Bug: Patch Is Not Enough
If you’re not an Apple user you may not have heard the news, but there was an embarrassing security flaw found on their MacOS High Sierra which impacted MacBooks, MacBook Pro, MacBook Air, iMac, and iMac Pro. Named the Root bug which was identified by software developer Lemi Ergin on November 28.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The security flaw allows anyone to “hack” into a Mac without knowing anything about programming. All malicious actors had to do was type in the word “root” into the username entry field and hit enter a few times, no password required. By doing this malicious actors were able to gain entry to not just the computer but administrative privileges as well. That’s it! Just type one word and you have access to anyone’s Mac laptop or desktop.
Apple was swift with their response and rushed a patch out on Wednesday November 29th. While apple was praised for the speed of their response, it should be expected by now that any patch rushed out that quickly, one day after discovery to be exact. Apple claimed there was a logic error that existed in the validation of credentials and that they improved it while resolving the issue. This sounded excellent at first, but then new reports of errors were coming out and that the patch that was released could be easily reversed. When the patch was released for users with MacOS 10.13.0, the patch is removed when they upgrade to 10.13.1. Even when users try to reinstall the patch after upgrade, the Root bug still is there. This is a serious issue because now there are confusing signals out there for MacOS users who may see the news and apply the path, but after upgrading they don’t test to see if the issue still exists. Users will instead just continue on with their normal routine.
Apple’s development process is now in question to many users and organizations who use their products. The severity of this security flaw is huge and shakes the validity of the claim that MacOS is inherently safer than Windows. This question becomes even more important when one takes into consideration that many organizations have switched over to Mac based on these claims of low-maintenance secure operating systems, others for cost. If such a basic security consideration such as credentials access was overlooked during development, then there may be other security gaps expected with the release of the new MacOS High Sierra.
An Insider’s Dream
It may seem like this is an issue that will be isolated to just individuals who use Macs however this issue can be a dream come true for malicious insiders in enterprises that use MacOS as their main system. While Windows is still the go to OS for enterprises, Apple does have loyalty from many organizations including IBM, Google, and many others. If a malicious insider decides they want access to sensitive information on someone’s computer then all they have to do is open up anyone’s computer, including an executive’s and just type the word “root” and they’re in. Even if an organization applied then patch and they ran a full upgrade later, the issue would still be present and there will be the loss of money and time from upgrading all stations that use MacOS.
Organizations that use primarily macs should watch the news very carefully if they wish to deter insider threats in their organization. Additionally there are security solutions that can help detect malicious insider behavior. Even if a malicious insider gets access to a device other than their own, technology such as user behavior analytics can detect odd behavior coming from that device while it’s on your network. Security should never be considered an all in one technology package. Hopefully soon Apple can fix this bug and ensure that enterprises and individuals are able to remain secure while using their devices.
3 Lessons Learned from the Uber Data Breach
Cyber Security Questions You Should Be Asking Yourself Daily
Cyber Security Facts: Statistics Every Business Needs to Know
Do’s and Don’ts of Cyber Security in The Workplace
Rethink Your Approach to Passwords and Security Questions