Joe Rossignol for MacRumors:
A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren’t able to unlock any other System Preferences menus with an incorrect password.
We’re unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.
Apple has really been dropping the ball with these breaches lately. Though App Store preferences are not as concerning as say, access to the whole system, the reality is still unacceptable.
Apple has released macOS High Sierra Security Update 2017-001 to address the embarrassing security hole discovered yesterday. Funnily referred to as #IAmRoot on Twitter, the exploit allowed anyone to obtain the highest level of access to your Mac by using the built-in root account without a password. Most vulnerable to physical access, others on Twitter discovered it allowed for remote exploitation as well.
If you’re running a Mac with High Sierra, update immiediately via the App Store.
Apple released the following statement:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
This is an insanely-quick response from Apple, and that is fantastic. However, this never, ever should have happened to begin with. There’s no other word for it than ‘embarrassing’. An increasingly large amount of Apple’s value proposition is their stock as the privacy and security company. After a while, issues like these can begin to hurt their credibility.
I think it’s clear Apple really needs to institute a bug bounty program for Mac, like they have done for iOS. The Mac product line as a whole has been seen as neglected by pros over the past couple years, so huge missteps like this only add insult to injury. If Apple doesn’t want folks to think of Mac as the red-headed step-child, they need to start doing a much better job.
Swati Khandelwal for The Hacker News:
Yesterday some users spotted a fake version of the most popular WhatsApp messaging app for Android on the official Google Play Store that has already tricked more than one million users into downloading it.
The app maker added a Unicode character space after the actual WhatsApp Inc. name, which in computer code reads WhatsApp+Inc%C2%A0.
However, this hidden character space at the end of the WhatsApp Inc. would be easily invisible to an average Android user browsing Google Play Store, allowing this dodgy version of the app to masquerade as a product of WhatsApp Inc.
According to Redditors, who first spotted this fake app on Friday, the app was not a chat app; instead, it served Android users with advertisements to download other apps.
What a total shit show. Google removed the app from the Play Store, but not before it was downloaded by one million people. Think about how damaging this could be to the WhatsApp brand. I also wonder how vulnerable this makes Google to a lawsuit.
Google has touted advanced malware scanning as a feature of Android 8.0 Oreo, dubbed Google Play Protect. That’s nice and all, but this protection should be baked in to the Play Store for everyone, not only for operating systems with a .2% market share. Turns out the often-complained about walled garden that is Apple’s App Store has its benefits.
Kevin Beaumont for Double Pulsar:
So there’s a new Wi-Fi attack. In the media it is being presented as a flaw in WPA protocol which isn’t fixable. This isn’t true.
- It is patchable, both client and server (Wi-Fi) side.
- Linux patches are available now. Linux distributions should have it very shortly.
- The attack realistically doesn’t work against Windows or iOS devices. The Group vuln is there, but it’s not near enough to actually do anything of interest.
- There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this.
- Android is the issue, which is why the research paper concentrates on it. The issue with Android is people largely don’t patch.
Good points here. As a matter of fact, I patched my Ubiquiti UniFi access points this morning to protect against the vulnerability. Patches will trickle down to consumer devices in due time, I’m sure.