"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
Asked to clarify whether anyone at Apple was aware of the issue before Tuesday, a spokesperson said that "our security engineers became aware of this just yesterday afternoon."The original story follows below:We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Software has bugs. That will always be true. But some bugs can be worse than others. Some can be incredibly dumb.A new bug in Apple’s operating system MacOS allowed anyone to become an admin by entering “root” as login and then pressing enter.Yes, you read that right.This means that if you were a user without full privileges on a computer, you could become one just by taking advantage of this bug. That is not how authentication is supposed to work, in case you’re wondering.“This is so dumb,” Jay Little, a security researcher at security firm Trail of Bits, told me via chat. “This behavior is new so it happened because of a change, and this regression shows the change wasn’t well tested, if tested at all. The implications are that restricted accounts for kids or students [or enterprise users] won’t actually be restricted and be able to make system wide changes.”
Several information security professionals confirmed to Motherboard that they could reproduce the bug on MacOS 10.13, the latest version of the operating system. The researchers said that the bug worked both in the system preferences as well as in the lock screen.“This is so dumb.”
Get six of our favorite Motherboard stories every day by signing up for our newsletter.Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv