One of the issues fixed in the supplemental update was a critical vulnerability that could have enabled an attacker to steal passwords from the macOS keychain. 5, Apple issued a supplemental security update for two critical password-related vulnerabilities in macOS High Sierra. 25 and included patches for 43 vulnerabilities. The macOS High Sierra operating system was first released on Sept.
The newly disclosed macOS High Sierra vulnerability is not the first time that Apple has had issues with password protection in its new desktop operating system. via testing for this vulnerability) may also expose the root account for use with remote administrative capabilities, such as the built-in “Screen Sharing” or “Remote Management” capabilities.” “Any system that has the root account enabled (e.g. “A local or remote user of a MacOS High Sierra system can obtain root privileges without requiring credentials,” Dormann wrote in a CERT vulnerability note. He reported that if a macOS user has screen sharing or remote management enabled, the user could be at risk from remote exploitation via the root password issue.
The root password vulnerability is also potentially exploitable remotely according to CERT/CC security researcher Will Dormann. “Imagine a locked door, but if you just keep trying the handle, it says ‘oh well’ and lets you in without a key,” Edward Snowden, president of the Freedom of the Press Foundation tweeted. The most serious risk is that the lack of a default root password also enables anyone with local access to a macOS High Sierra system to gain access to a locked desktop with the username root and leaving the password empty. Ergin discovered that any local user on a macOS system could attempt to get root access without the need to enter a password. The vulnerability reported by Ergin is that by default on Apple’s macOS High Sierra operating system, no root password is set in the operating system. “By posting the tweet, I just wanted to warn Apple and say there is a serious security issue in High Sierra, be aware of it and fix it,” Ergin wrote.
0 kommentar(er)
