How to fix the macOS 10.13 Security Flaw

by

November 30, 2017

DISCLAIMER: We here at Security7 are avid Mac users both professionally and personally. We, as a business, were not affected by this exploit in any way. My personal machine was vulnerable but has since been patched. No PII data was exposed.

On Tuesday, November 28th a brand spanking new macOS security exploit was discovered. If you’re a macOS user you’re familiar with the system prompts you get when you’re trying to make a change to the system. They’re Apple’s way of asking “do you really want to do that or should you think about it first.”

Typically macOS asks for a Username and Password before it unlocks your machine and opens up what it considers to be vital components to manipulation. Without that User Name or password it was nearly impossible to make any fundamental change and software would block your attempt. That’s not what happens if you’re running macOS 10.13.1, known commercially as High Sierra.

In High Sierra anyone can get around the system’s built in security measures easily. All you need to get past that prompt it to enter the word root into the Username field, nothing into the password field and click “Unlock.” With little to know effort you can break into somebody’s Mac and wreck absolute havoc.

With this exploit an unauthorized user has access to everything. Passwords? Yep. All the credit cards you’ve stored with Apple Pay? Yep. Pretty scary, right? There are ways to fix the issue. Apple has released a security patch that addresses the issue. You’re also able to set a root password and nip the exploit in the butt. If you’re only a casual user we recommend updating your machine through the App Store and not monkeying around with your system preferences too much.

NOTE: This isn’t the first time a security flaw’s been exposed in Apple’s software (take a peek at this if you’re feeling brave: https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/cvssscoremin-2/cvssscoremax-2.99/Apple-Mac-Os-X.html) but it’s easily the most major faux pas they’ve ever made.

Ultimately, the thing that bugs me the most here isn’t that Apple makes mistakes. Everybody makes mistakes. I make mistakes. You probably make mistakes. The problem here is the severity of the mistake. Apple has become careless when it comes to the quality of the software they release and I think it’s only going to get worse.

Let me present you, the reader, with something important to know before we go any further down this path: I’m an Apple fan and I have been for years. I am a proud, life long Mac user and I’ve never been ashamed to admit it. I love all of their products. I love their phones. I love their computers. I love their software. I love their wearables. I love their services. I love them, I love them, I love them.

I am biased towards Apple and I probably always will be. There. I said it. But it’s important to know before I get into how much I think they’re letting everybody down.

It used to be, if you were an Apple fan, a TRUE Apple fan, there are some things about the company that you’d learned to really respect and appreciate. Things like beautiful industrial design, the development and use of revolutionary technology and a walled garden software environment that protected you from things Microsoft users have to worry about on a daily basis. The overall security of macOS and it’s walled garden was a HUGE draw for people. There’s no denying it.

Part of Apple’s allure was its security posture. Viruses and threats were few and far between. Users felt safe. Users felt secure. Or at least we used to and let me tell you, that walled garden was a lovely place to live in too. It’s a happy, controlled environment opposed to the chaos experienced in a Windows environment. To paraphrase Steve Jobs, software in Apple’s walled garden “just worked.”

Threats to macOS are on the rise. Bad hombres are out there on the cyber every day coding as much as they can to impact everybody they can.

You’d think, knowing the current state of worldly cyber-affairs, Apple would do everything in its power to make sure any loophole or vulnerability would be more waterproof than a frog’s butt hole. In theory, nothing would leave Cupertino that wasn’t 100% tested for quality assurance and consumer safety.

Sadly that is no longer the case. Apple is starting to fail on a regular basis.

The problem Apple is currently facing isn’t relegated to just security concerns. The problem is bigger than that. It’s honestly about the overall quality of the products they release. I contend that Apple, since Steve Jobs died, has been slowly slipping away from what made them great between 1997 and 2011, regardless of what their quarterly earning reports may show.

That range I mentioned above, 1997 to 2011, isn’t just some arbitrary selection I plucked out of thin air for the purpose of sounding intelligent. 1997 is the year Steve Jobs returned to Apple and 2011 is the year he died, forever leaving behind the company he founded and saved from near total annihilation.

The missteps Apple seems to be making tells me they favor quantity over quality and I’m not alone. Apple is no longer interested in the overall quality of their software or hardware. They know people like me will buy it regardless of its level of quality.

Even as a loyal Apple fan boy, now when I’m asked by someone if they should switch over from PC I can’t help but look at them solemnly and say “yes, but be careful. Apple isn’t what it used to be.”

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...