Apple releases fix for macOS High Sierra administrator authentication bypass flaw

Apple today released Security Update 2017-001 macOS High Sierra v10.13.1 which includes:

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002.

MacDailyNews Take: Install ASAP.

SEE ALSO:
Tim Cook’s sloppy, unfocused Apple rushes to fix a major Mac security bug – November 29, 2017
What to do about Apple’s shameful Mac security flaw in macOS High Sierra – November 29, 2017

30 Comments

    1. Of all Apple’s foibles, including the relatively “minor” product shipment delays–read, HomePod, the significant product “disappearances,” read Mac Pro & Mac mini, this stuff is absolutely the top of list and has company-cracking potential. This involves the vaulted ecosystem that is the Apple user’s walled garden. Lose this and Apple has lost its most secure differentiator, say nothing of the value of riches or revenue. It must not be forgotten that this isn’t the first crack in Apple’s software QC, but this is the most frightening. Tim, I don’t care what you think or do in private but let not the primary public Apple image be your frothy statements of “I/we care” when some tragedy hits the country. As well, fire the whole emoji department and reset that idiotic priority to something truly redeeming. I’d like to see some Steve Jobs ruthlessness in the QC realm and future mindedness. Fire everybody related to this error, set product release dates and demand that no one leaves until it’s done. You’re not here to be nice to the world. Be ruthless in respect to excellence.

    1. What an interesting comment. /s

      Yes, the flaw was stupid — in the extreme. People (likely several) should be fired over this, and they should be fired TODAY.

      However, you’d be surprised what a knowledgeable attacker can do with virtually any OS — macOS, Windows OS, Linux, Unix, etc., etc. — if they can get physical access to the machine. No main stream OS is hack proof if you can get physical access to the machine. Hell, if I can get a chipclip onto the chip hosting your BIOS/EFI/UEFI then your system is toast. I don’t care what OS you’re running.

      There has not been a verified, reproducible case of being able to use this flaw remotely. There have been lots of claims on Twitter and elsewhere, but absolutely nothing that has been independently verified.

      So called security experts claim that this flaw possibly could be used in conjunction with other remote techniques to get escalated privileges once you remote access by other means, but no one has posted a means that has been independently verified.

      There’s a lot of hysteria about this — and MDN quoting Snowden, who should never be quoted by anyone, ever , is not helping.

      Again, YES, it is an inexcusable flaw. However, it is not the end of the world as many sites are claiming.

    2. Donecan. I’m a fanboi and this report is disturbing (opinion above). There’s no excuse for this ongoing laxness. People get lulled by the amount of $$ Apple rakes. As well, people rationalize that such things are bound to happen because of Apple’s size. Both are ignorant. Good/big companies fail b/c of such thinking. For long, I’ve wished for SJ’s creativity and perfectionism to land on someone now at Apple, but so far, it’s been a pipe dream. It’s not in TC’s genes. What supposedly is in his bailiwick is operations, but that too has shown to be a mirage in the present. I wish he could retrieve some of that past glory, at least, and pick it up a number of ticks with a portion of SJ’s ruthlessness. I think it was ruthlessness that enabled many to characterize him as a prick, but I think it’s exactly what limp Tim needs. Because he’s such a love-the-world kind of guy, a large dose would just bring him up to real CEO level and no up to prick level.

        1. RU, wrong again. If you don’t see a laxness, your fanboi-ism is affecting your health. Btw the writer’s words didn’t define laxness in your assumed way.

  1. Oh dear Apple, what a cock-up! So much for your development team and trustworthiness. What a joke and Apple deserve all the wrath for this. No doubt the Apple die-hards will just see it as a blip. Again no QA to check for the obvious.

  2. Wintards, no system is perfect. It only applied to those who had an open sign in and people had to had to have access to your computer. Kudos to the guy that found the glitch and for Apple’s prompt action to fix it.

      1. Not quite, it merely hit the mass media 24 hours ago. Many reports note this was publicly disclosed to Apple’s own development community (rather nonchalantly as a solution to another problem) over 2 weeks ago.

        1. It was not reported as a vulnerability in that unmoderated by Apple forum, but rather as a cool way to get an Admin Account for a developer who had screwed up his Admin account. It was noted by others as a potential security vulnerability but no one there apparently made the step to actually NOTIFY Apple.

          Apparently Apple doesn’t monitor that Forum due to liability issues because developers may disclose things they are working on that may compromise Apple projects. It’s a forum only for developers to assist other developers so Apple employees stay clear of it as I understand it. . . so, if a vulnerability drops in an unmoderated forum and no one who saw it reports it, Apple was not notified.

      2. it was reported so quickly and WHY in the F is Apple’s response being lauded? Of course it should be repaired quickly. Is there any other option? Absolutely not. People are are dreaming rationalization on this board. There is no excuse for such a blunder. Same is true for the earlier wifi stain. Both should have been caught by early, by low levels.

      3. Oh dear, so sad you can’t see the bigger picture. What Apple has shown is its utter contempt for its users for this monumental mistake. It has proved YET AGAIN that Apple cares more about its bottom line than its customers and despite sounding helpful and assuring brings into question just how good Apple is at software development and QA….not very….goodluck with your leaky OS 🙂

  3. The Chicken Littles railing about this are the same ones who berate Apple so much when they miss estimated shipping deadline.

    What’s that old saying… you can have it quick and dirty or slow and good. Pick one.

  4. As far as we know, the vulnerability was publicised yesterday. We don’t know how long ago did Apple learn about it, so we can’t say how long has it been that they had been working on this, but it is clear that they can react quite swiftly when feet are put to the fire.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.