Joe Rossignol for MacRumors:
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren’t able to unlock any other System Preferences menus with an incorrect password.
We’re unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
Apple has really been dropping the ball with these breaches lately. Though App Store preferences are not as concerning as say, access to the whole system, the reality is still unacceptable.
Apple has released macOS High Sierra Security Update 2017-001 to address the embarrassing security hole discovered yesterday. Funnily referred to as # IAmRoot on Twitter, the exploit allowed anyone to obtain the highest level of access to your Mac by using the built-in root account without a password. Most vulnerable to physical access, others on Twitter discovered it allowed for remote exploitation as well.
If you’re running a Mac with High Sierra, update immiediately via the App Store.
Apple released the following statement:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
This is an insanely-quick response from Apple, and that is fantastic. However, this never, ever should have happened to begin with. There’s no other word for it than ‘embarrassing’. An increasingly large amount of Apple’s value proposition is their stock as the privacy and security company. After a while, issues like these can begin to hurt their credibility.
I think it’s clear Apple really needs to institute a bug bounty program for Mac, like they have done for iOS. The Mac product line as a whole has been seen as neglected by pros over the past couple years, so huge missteps like this only add insult to injury. If Apple doesn’t want folks to think of Mac as the red-headed step-child, they need to start doing a much better job.
Amazing and inspiring words from the world’s biggest company. I usually can remember all the top features after an Apple keynote, but this one was SO packed, I had to go back and check things.
Apple was flying through their keynote at a blistering pace, and needingly so. They presented a ton of new features (and new hardware) across their line. Here is the top stuff that caught my attention. You can also replay the keynote.