Apple said on Wednesday that it will rush an emergency patch to users that fixes an embarrassing login bug in its High Sierra operating system. The patch is expected to be pushed out by Apple sometime Wednesday, according to a company spokesperson.
The serious High Sierra login bug surfaced Tuesday, giving anyone with physical access to a computer running the latest version of the operating system admin access simply by putting “root” in the user name field.
“This security issue appears to be both an unsecured default setting that shipped with the MacOS release and a flaw in the functionality of the software component that prevents one from disabling the root account,” said Chris Carlson, VP of product management at Qualys. “The mitigation, until Apple releases a patch, is to create a secure password for the root account.”
In a statement issued Wednesday, Apple admitted to the mistake stating, “Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.”
The statement continued:
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.”
Developer Lemi Orhan Ergin is credited for first publicizing the Apple bug when he took to Twitter yesterday to publicize the flaw in for users running the latest macOS 10.13 version of the High Sierra operating system.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Apple continued, in a rare admission of letting its customers down.
“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again,” the Apple spokesperson said.
The vulnerability CVE-2017-13872 is identified by Apple in a security update as “a logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Impacted is macOS High Sierra 10.13.1. Versions of macOS Sierra 10.12.6 and earlier are not impacted by the bug, Apple said. Affected systems, Apple said, may allow an attacker to “bypass administrator authentication without supplying the administrator’s password.”
Apple has recently come under scrutiny for obvious bugs found in the High Sierra operating system. In October, Apple rushed out an emergency patch that fixed another major bug (CVE-2017-7149) in its High Sierra operating system that revealed APFS volume passwords via the password hint feature.
“We are seeing some pretty serious missteps here where Apple has shipped an operating system with some pretty bad security issues,” said Patrick Wardle, director of research with Synack in an interview with Threatpost Tuesday. “Any operating system is going to have its share of flaws, but these kinds of bugs look like Apple didn’t even test them. These are not very difficult bugs to trigger.”
Wardle told Threatpost the implications of this bug are far reaching and go beyond simply gaining access to the local computer. For starters, he said attackers could use the flaw in conjunction with malware to elevate privileges locally to make changes to a system and add applications such as a keylogger. For systems on a corporate network, if a macOS computer has screen sharing enabled a remote attacker who is on the same network could under certain circumstances also use this bug to attack the targeted system remotely and gain root privileges.