Wednesday, November 29, 2017

MacOS 10.13.1 - Root vulnerability allows new ADMIN account without password

Apple is in process of building an emergency patch to lock down the “root” account where a preset password does not exist.  In certain settings, the "MacOS 10.13.1 Root vulnerability" allows a missing password challenge to be fully worked around.  That allows user accounts to be reset, allowing full compromise of vulnerable systems.  This bug is serious and believe Apple with quickly rectify with an expedient “patch now” update  

The hack is easy to pull off. It can be triggered through the Mac’s System Preferences application when “Users & Groups” is selected, and the lock icon on the window is clicked. After that, a new login window will appear. Anyone who types “root” as the username, leaves the password field empty, and clicks unlock (once or twice) is on their way to a new account that has system admin privileges to the computer.


Amit Serper, a security researcher with Cybereason, replicated the result and said the bug “is as serious as it gets.”  Hackers are always crafting malware that can gain greater system privileges into a computer. Now they have a new way, which can also be triggered via a Mac’s command line function. Imagine a piece of malicious code designed to attack Macs using the same flaw. Users wouldn’t even know they were compromised, Serper said.


WORKAROUND – Allocate & preset “ROOT” account to password ahead of time instead of leaving unset as null value