What to do about Apple’s shameful Mac security flaw in macOS High Sierra

“Someone at Apple seriously dropped the ball and put an unforgivable security flaw inside macOS High Sierra,” Jonny Evans writes for Computerworld.

“Complacency and incompetence are the biggest computer security threats, and Apple’s latest Mac security flaw seems to combine both of these,” Evans writes. “The flaw means anyone with physical access to your Mac can get inside the machine and tinker with it.”

Evans writes, “The problem (which first got disclosed here) was first revealed in a Tweet by Lemi Orhan Ergin.

“This is a monumental error,” Evans writes. “It also seems completely avoidable – it’s not as if every hacker anywhere doesn’t use the word ‘root’ in an attempt to penetrate security. The only way Apple’s engineers might have improved on this (i.e. made it worse) is if they had used the password ‘123456.’ The existence of the problem is shameful. Why does it exist and who is responsible?”

Read more, and how to fix this shameful security flaw, in the full article here.

MacDailyNews Take: Tim Cook’s Apple. That’s where the buck stops, right after it flits across Craig Federighi’s desk in this case, in a properly-run enterprise.

“Oh, but Apple’s basically printing money,” some cry! “Look at the share price; it’s near an all-time high!”

Regardless, as we’ve been saying for years now, as very longtime, very close observers of the company:

Apple is not firing on all cylinders.

The quality has been slipping for years and the mistakes, bad designs, stupid decisions, product delays and worse have been piling up. Exactly, how do you so thoroughly fsck up your top-of-the-line Macintosh by “designing yourself into a thermal corner” while trying to prove that you can “still innovate, your ass” (and failing abysmally) and not be able to deliver a replacement for going on FOUR YEARS?! Even HP and/or Dell could do it in 4 weeks. ASUS could do it on 4 days. If anyone needs a stronger indication of the existence of a problem at Apple that stems from the very top, they’re batshit delusional.

So, when you produce a $300 coffee table book with 450 painstakingly shot photographs on “specially milled German paper with gilded matte silver edges, using eight color separations and low-ghost inks” and even trumpet that it “took more than eight years to create,” but you can’t make or even bother to update the Mac Pro for over four years… Hey, you deserve every single bit of criticism and then some, if not for your horribly misplaced priorities and blatantly obvious mismanagement, then for your abject tone-deafness alone.

In other words, doing your real job first grants you the ability to screw around on some vanity projects without criticism. — MacDailyNews, May 18, 2017

This lack of focus, lack of attention to detail, lack of striving for perfection will catch up to Apple eventually if it is not arrested and corrected in time.

So – sigh – we once again present to Apple CEO Tim Cook, where the buck supposedly stops, the Trophy for Misplaced Priorities:

The Misplaced Priorities Trophy
The Misplaced Priorities Trophy

 
Luckily for Tim Cook, Steve Jobs left him a perpetual profit machine that can absorb pretty much any lackadaisical fsckatude that can be thrown into the spokes.MacDailyNews, November 17, 2017

SEE ALSO:
Apple’s late, delayed, limited HomePod is looking more and more like something I don’t want – November 27, 2017
Why Apple’s HomePod is three years behind Amazon’s Echo – November 21, 2017
Under ‘operations genius’ Tim Cook, product delays and other problems are no longer unusual for Apple – November 20, 2017
Apple delays HomePod release to early 2018 – November 17, 2017
Apple CEO Tim Cook: The ‘operations genius’ who never has enough products to sell at launch – October 23, 2017
Apple reveals HomePod smart home music speaker – June 5, 2017
Apple’s desperate Mac Pro damage control message hints at a confused, divided company – April 6, 2017
Apple is misplaying the hand Steve Jobs left them – November 30, 2016
Apple delays AirPod rollout – October 26, 2016
Apple delays release of watchOS 2 due to bug – September 16, 2015
Apple delays HomeKit launch until autumn – May 14, 2015
Open letter to Tim Cook: Apple needs to do better – January 5, 2015
Apple delays production of 12.9-inch ‘iPad Pro’ in face of overwhelming iPhone 6/Plus demand – October 9, 2014
Tim Cook’s mea culpa: iMac launch should have been postponed – April 24, 2013

61 Comments

    1. You wouldn’t expect this from me, but stuff happens. They will fix it and get on with it.

      Where I will be critical is with the aura that’s been projected forever by Apple and their user’s that OSX is infallible. We all know that there’s no such thing. Hopefully some humility will enter the picture now.

      1. I don’t know any Mac users that think Macs are infallible (that’s all in your head), but we do know that Macs are better when it comes to the amount of work needed to secure your computer, and keep it running properly. There’s no argument on that, Macs have a lower total cost of ownership and Mac users are more productive. A big part of that is less fiddling with the machine and OS.

          1. Malware is less of a problem on the Mac. It exists but it’s not something Mac users need to fret about. I know lots of Windows users, and most of them have had some sort of issue with malware buggering up their machines. I don’t know any Mac users that have had a malware issue. That isn’t luck. Macs are more locked down, sandboxed, what have you. There are system level apps at work in OSX, I get warnings about installing apps or downloading files, and there’s some kind of built in anti-malware app as well, XProtect. It is also a numbers game, Windows is targeted much more than Mac.

            I still think it’s mostly in your head, because you’re pissed at Apple about something or other, you’re projecting maybe? Malware is less of a problem on the Mac, that’s just the way it is. I got my parents an iMac, I wouldn’t ever buy them a Windows machine, that would be a nightmare, I don’t have the time to support it and keep it running and safe for them.

            1. Malware is indeed less of a problem on the Mac. But I still think that an exposure like this ought to bring some humility. I have a huge aversion to BS, and in this case some humble pie is not wrong.

              On the other hand, I do have several axes to grind, but I always try to respond with facts, and if you notice, I actually was supportive of Apple in my opening comment. Switching to Apple in 2008-2009 got me my “cynicism” stripes. I don’t like IT departments over my property that I don’t control. But I digress….

            2. “Malware is indeed less of a problem on the Mac.” Yes, that’s what I said. You are imagining a lot of “the aura that’s been projected forever by Apple”. People aren’t stupid, they know Macs aren’t invulnerable, but they also know they don’t have to worry too much about malware on the Mac. You have to try to get malware on a Mac, there’s so many warning dialog boxes popping up and in many cases you would have to enter your admin password to install or run the malware. OSX generally works so smoothly that it is glaringly obvious when something out of the ordinary is happening. Makes it easier to catch malware before you accidentally install it thinking it’s an update for whatever.

            3. My wife uses it now, I have to help her with Windows 10, it’s a mess compared to OSX. I’m not deflecting, I’m just stating that malware is far less of a problem on OSX, and you already agreed to that, thanks.

              Your assumption is that Apple hasn’t been humble about security. I would say they have been, they do a lot of work on security and they patch things pretty quick, and they introduced a lot of security measures over the last ten years. You think Apple needs to eat humble pie because you have some kind of problem with Apple. I don’t know any Mac users who think Apple is perfect. You’re just making another assumption, projecting your issues on others.

              I have no problem saying Apple screwed the pooch on this one. Then they fixed it. Who is telling you Apple is perfect and never makes mistakes? I don’t know anyone who says that. That’s why I’m saying it’s mostly in your head.

            4. I didn’t say Macs do x, y, z. I said malware is much less of a problem on the Mac and you AGREED. You can’t seriously be using a single decade old ad to ‘prove’ Apple is saying Macs don’t get any viruses ever? Come on man, nobody believes that, people aren’t that stupid, they know it’s an ad. The takeaway from that ad is that malware is much less of a problem on Macs, and I’ll remind you that you AGREED that was true. As for your analysis article, the main point in it is “The main message throughout all of the commercials is that MAC is a better computer” and that is true, OSX is much easier to use, more worry free, more productive, Macs have a longer usable lifespan, lower TCO, etc.

            5. You said…

              “there’s so many warning dialog boxes popping up and in many cases you would have to enter your admin password to install or run the malware. ” Windows too.

              “and there’s some kind of built in anti-malware app as well, XProtect.” Windows too, it’s called Windows Defender and Windows firewall.

              Let’s not even debate the “runs more smoothly”, yes it does. It does less. Macs generally aren’t easily upgradable, Windows needs to support the universe of hardware. Apple has problems even with their limited subset.

            6. Well duh, OSX and Windows do similar things. That was never the discussion. You said “Malware is indeed less of a problem on the Mac.” That was my point and you AGREED. Get over it. However, it is also true that Windows is far more clunky and awkward getting those similar things done. I know, I have to help my wife use Windows 10. Given a choice I would not use Windows, it is not a pleasant experience. It is a necessary experience in some cases, but none of that was central to our discussion. I said “Malware is less of a problem on the Mac.” and then you finally AGREED saying “Malware is indeed less of a problem on the Mac.” That’s the end of the discussion I’m afraid. You AGREED with my central argument. I win. Go home now.

  1. I hate misleading pictures of the Mac Pro like that one… it’s absolutely NOT black. It’s just a silvery mirror finish, brushed aluminum not even tinted black.

    Anyway, just enable the root user yourself, and set an actual password. Problem solved. Just make note that you should disable it either after the bug is fixed or before you sell it/give it away.

    1. Uh, Kate? I have one. It’s not a silvery mirror mirror finish. . . and brushing such a mirror finish ruins the mirror. It’s anodized black.

      But, you’re right about mitigating this problem. Just enable the Root user and add a complex password and then disable the root user. Problem solved. You don’t need to wait to disable the root user. Do it right away WITH the password selected. It remains.

      1. I’ve seen them in the store, they’re not black unless you’re colorblind or in a pitch black room. They’re silver and reflective.!5&37 look like garbage. Put it next to a jet black iPhone 7 or a black stainless steel watch and you’ll see what I mean. They look like the trashy chrome you see on mororcycles, not as pictured in marketing images.

    2. I don’t think its meant to be the actual Pro. That is MDN’s “Misplaced Priorities Trophy”, which I am guessing is meant to look like the Pro but as a trophy (all shiny but black since its an “anti-trophy”, or a “losers” trophy.)

  2. Under Tim Cook Apple SW has become the land of eternal beta- way too much stuff is not ready to ship when released.

    Speaking of the mythical Mac Pro trotted out earlier this year- you have not heard or seen a peep from Apple since. My guess is that was a PR stunt to shut up the online discontent with Apple. They hope the Fanbois enjoy their new overpriced iMac painted Black and called a Pro device.

    Tim Cook, if a user cannot upgrade it, put standard memory, expansion cards, graphics cards and such, it is in no way a Pro device beyond the term applied for marketing.

    1. It’s actually the agile development process. You release a minimum viable product, then iterate the heck out of it. There’s no complex electronic gizmo you buy today from anywhere that won’t be upgraded multiple times.

      1. You are wrong – again. I did write a longer response but MDN has blocked me because I put them right on taking a day to get up to speed with this actual while there were too busy pretending to use Pixalmator Pro. So hard to circumvent MDSnooze blocking 😂😂😂😂😂😂😂😂😂

    1. It is, Jared, but that’s no excuse for Apple. I’ve never bought anything but Apple since my first 1986 Mac Plus, but I’ve always, and still say, if I ever find anything I think is better, I’m gone. I’ve been very tolerant with much of Apple’s junk.

  3. Apple is in disarray. Jobs would never have allowed this to happen. But that’s why Apple is producing mediocre products, following instead of leading and postponing product releases.

    Oh yea, and Apple is now working on driver less cars.

  4. Thanks MDN my confidence is restored even though it took you too long to put it on the site and comment.

    I absolutely agree that all the attention to very detailed matters on the new spaceship clearly wasn’t applied to their products and thus was a highly misapplied effort.

    I’m an Apple customer for 3 reasons only:
    1) privacy
    2) security
    3) well designed products

    My confidence in Apple is starting to erode.

    1. My confidence in Apple has been eroding for years. There’s a laundry list of “wtf were they thinking” that I just cannot and won’t waste my time defending them against.

      They’re just lucky the iOS/Mac ecosystem and integration is sufficiently good (for now) to keep myself and others from jumping to the alternatives, which are even worse. Unless they get their act together though, at some point it becomes impossible to justify the cost that Apple demands on things. Already there’s Apple die-hards discovering Alexa’s apparent superiority to Siri thanks to the low-cost Echo Dots and non-shipping Homepod.

    2. “Thanks MDN my confidence is restored even though it took you too long to put it on the site and comment.”

      Too long, indeed. I submitted it as soon as I heard it yesterday, which was just about an hour after it hit the interwebz. The solution is failry obvious to anyone here, so we just needed to be aware, not told how to fix it. And for those who couldn’t have determined the solution, our feedback would have quickly set them on the right path.

      “My confidence in Apple is starting to erode.”

      Ditto. 🙁

    1. Well, that is the issue isn’t it? It is possible to have a normal user, or even an administrator without a password. You can even do it on a Windows PC. . . but on a Mac, Root should always require a password.

    2. This issue can only come up if the Mac has multiple accounts enabled and is configured to ask on the lock screen which account to log into. It might be useful to have a guest or children’s account that has limited access to resources and no password. That is no worse security than having a password that is posted on the device with a sticky note. Similarly, a user who is confident that their device is physically secure may rely on having just the protection of an obscure user name without an additional password.

      My guess is that this is a shortcut the High Sierra coders put in to expedite access to the root account during development and then forgot to remove. Stupid and inexcusable, but understandable. Illustrates why back doors are a terrible idea.

  5. Most people do not leave their computer laying around for someone to try and login as root. yeah its a stupid flaw, but like anything Apple does, its always overblown, Windows is a security cesspool and it always gets a big ho-hum…

    The very fact that someone seemingly literally tripped over the issue it seems after the OS has been out for months.. shows how obscure the issue is.. Apple will patch it shortly and its all done..

    1. For every security issue, my first question is “do they need physical access to the computer”. If they do, then my concern drops immensely. (plus, I always enable root for “reasons” so this doesn’t affect me.)

      1. This can actually affect users remotely according to the discussion about it (yesterday!!) when it was more timely reported by AppleInsider.com not sure if that is true and wouldn’t know how to do it, but I think that maybe you are, well you know….wrong again. Twat.

    2. Not exactly true if you use a Mac in a work environment. I heard of workers at software companies sending embarrassing emails if they find co-workers have left their machine unlocked. With this exploit, it would be very easy to enable root access.
      In that sense the root issue becomes very dangerous when the machine is in a work environment. Obviously users should always lock their machine when they go away (even for a few minutes like going to the bathroom). For a laptop that is easy since you just close the lid.

    1. No, this is an issue in which when root is disabled this exploit makes it active.
      The best solution is to enable root and create your own password, this prevents the exploit working.
      Instructions are in the linked to article.

    2. In many work environments, the IT guys use root access to control how ordinary users can use the machine. If they have done this to a particular Mac, root has a password and the exploit will fail.

      This can only come up if the machine has multiple user accounts (so that the lock screen requires entering both an account name and password), one of those accounts is not already root, and an intruder tries to log in as root multiple times with a blank password.

      Assuming that everybody installs the security update from this morning, it cannot come up at all.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.