Published: Fri, January 12, 2018
Industry | By Terrell Bush

Apple Has Yet Another Password Bug in macOS High Sierra

Apple Has Yet Another Password Bug in macOS High Sierra

There is a security flaw in the most recent edition of macOSHigh Sierra, version 10.13.2, that allows users to unlock the App Store menu in System Preferences without knowing the password.

The bug report also highlights yet another embarrassing password-related bug for Apple.

The password issue will without question require a fix; it's unacceptable that a login prompt can be bypassed by simply ignoring it or entering incorrect information. Then, enter the admin name (it should be there already) and any password (or no password at all), and click Unlock.

It's also important to note that in order for the flaw to occur, the admin must first be logged in. In a series of Twitter messages on January 10 directed at multiple media outlets, Holtman emphasized that the issue is not critical.

To exploit the bug, a hacker would need to have physical access to a vulnerable Mac when a user is logged on to the computer. The steps to reproduce were as simple as opening System Preferences, Clicking the lock to make changes, typing "root" in the username field, and clicking the Unlock button. "Likely an oversight in the security changes in 10.13.x".

Is Perrigo Company plc (NYSE:PRGO) Ready to Rumble?
Sector Gamma As decreased its stake in Perrigo Co Plc (PRGO) by 4.67% based on its latest 2017Q3 regulatory filing with the SEC. Allianz Asset Management GmbH purchased a new stake in shares of Perrigo during the third quarter worth approximately $217,000.

A security bug on the macOS High Sierra was detected on version 10.13.2.

The discovery no doubt brings back memories of the infamous bug that allowed anyone with root access to a device to log in with the least of a hindrance.

After a unsafe macOS flaw left some proverbial egg on Apple's face at the end of 2017, it probably didn't want to start 2018 with another issue on its hands. With CVE-2017-13872, Apple warned that an attacker could bypass administrator authentication without supplying the administrator's password.

It's not going to be a serious issue when an intruder needs admin-level access, but it could be a concern if an attacker already has those privileges. Considering the critical role that passwords continue to play in modern IT security, though, having an oversight in password technologies isn't particularly reassuring. Then again, as Holtman wrote, it could just be an "oversight".

Like this: