A critical patch for a vulnerability in Apple’s macOS High Sierra may not be properly applied if a user also updates the system software.
The vulnerability, which was made public on Nov. 28, could allow a malicious user to bypass authentication dialogs and even potentially acquire root system privileges. Apple released the High Sierra patch the following day, but users have reported the patch being undone depending on system updates that were applied.
According many users on Twitter — and first reported by Wired — if the Apple system was running macOS 10.13.0 and not the newer 10.13.1 version, the High Sierra patch would be undone after the system update was applied. Additionally, re-installing the High Sierra patch after the system update would require a reboot to properly apply the fix, but users were not getting the notification that a restart was necessary.
Apple has since updated its patch notes to include these issues: “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.”
MacLemon, a Mac sysadmin and independent security researcher, said the system update downgrading the High Sierra patch shouldn’t be surprising.
MacLemona Mac sysadmin and independent security researcher
“It’s mostly expected that an older updated installed over a newer system downgrades components. The failure here is that Apple doesn’t show the Security Update 2017-001 again after reinstalling 10.13.1,” MacLemon told SearchSecurity via Twitter Direct Message. “It’s part of Apple growing carelessness for the Mac in general. Since they changed the development process to release on time instead of when done Mac OS X/OS X/macOS quality and stability has been in steady decline. Banana software shipped green that ripens at the customer.”
Because of the confusion surrounding the High Sierra patch and the macOS update, users may not know if the patch was applied properly and whether or not they are protected against the root password flaw, as Marc Rogers, head of SecOps for DefCon and head of infosec for Cloudflare, said on Twitter.
Well done @apple By not incrementing patch numbers to hide the fact you messed up first root bug patch and now messing up that patch we have no way of telling who is impacted and who isn’t other than manual checks. https://t.co/CecU4AhUjJ #innovation
— Marc Rogers (@marcwrogers)
December 2, 2017
Experts suggested checking for software updates and ensuring systems have been rebooted.
Root passwords and the High Sierra patch
When the High Sierra root flaw was first announced, an early suggestion from experts was to create a password for the root user. However, MacLemon noted this could cause security issues as well.
For those who hastily set a root password to mitigate the macOS High Sierra root login security issue:
You’ll forget to turn off that bad root password once the issue is fixed and you have installed a patch.
Many Macs will have weak root passwords for years to come.#onlyApple
— MacLemon (@MacLemon)
November 29, 2017
Additionally, Adam Nichols, principal of software security at Grimm, said creating this password would not be a full fix anyway.
Fun fact: manually disabling the root account once it was enabled by the recent MacOS auth bug mitigated the bug on the login screen, but it did not mitigate it via VNC. In other words VNC would keep re-enableing the account while the login screen would not. Patch fixed that too
— ☣Adam (@AdamOfDc949)
November 30, 2017
A security issue in Apple’s macOS High Sierra could allow an attacker to bypass any authentication dialog and even sign in as a root user.
The macOS flaw gained visibility after Lemi Orhan Ergin, agile software craftsman at payment platform vendor Iyzico, based in Istanbul, Turkey, tweeted about it Tuesday. Ergin asked Apple on Twitter if it was aware of an authentication bypass issue in its desktop operating system that could allow anyone with physical access to a target system to “login as ‘root’ with empty password after clicking on login button several times.”
However, it wasn’t the first time the issue was brought up. Ergin said in a Medium post that the infrastructure team at his company brought the macOS flaw to his attention on Nov. 23rd and there have been Apple Developer Forum posts about the issue as far back as Nov. 13th.
Tim Erlin, vice president of product management and strategy at Tripwire, criticized Ergin for his tweet.
“Failing to follow responsible disclosure guidelines puts everyone at greater risk,” Erlin told SearchSecurity. “Public disclosure like this, especially with a major vulnerability, ensures the widest possible distribution of the information among malicious attackers, and instills a sense of urgency to attack before a patch is available.”
Xavier Mertins, security consultant for SANS Internet Storm Center, said in an alert a “quick fix” would be to create a password for the root user.
Apple has released a patch for the macOS flaw Wednesday and said the issue was due to “a logic error [that] existed in the validation of credentials. This was addressed with improved credential validation.”
Potential other vectors
Will Dormann, senior vulnerability analyst at CERT, found the macOS flaw could be remotely exploitable if Apple’s Remote Desktop system is enabled, and “that gives full interactive remote root access to a system, without requiring a password.”
Apple “Remote Management” also has the same exposure. If “Control” is enabled, that gives full interactive remote root access to a system, without requiring a password. pic.twitter.com/q6hN0gwaNf
— Will Dormann (@wdormann)
November 28, 2017
Additionally, Thomas Reed, a recognized Mac evangelist at Malwarebytes, found this latest macOS flaw “works with any authentication dialog in High Sierra.”
“On a Unix system, such as macOS, there is one user to rule them all. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other,” Reed wrote in a blog post. “Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has bug has been triggered, it turns out you can do anything as root on the first try, without a password.”
Reed added that while this macOS flaw could allow someone to login to a system locally or remotely if Remote Desktop is turned on, and be able to “do whatever they want, including accessing your files, installing spyware, you name it,” there is a way to protect data.
“If you have your Mac’s hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor,” Reed wrote. “In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password.”
Initial reviews are in on Apple’s iPhone X — new features dissected, the disappearance of the home button judged. The question: Will this week’s big event in Cupertino, Calif., change anything for CIOs?
Does Apple’s new Bionic Chip with Neural Engine alter how application development teams think about mobile apps? Will the iPhone X’s ARKit, also available on a select number of other iOS devices, take augmented reality mainstream? Will Face ID — the black eye it got for flubbing its big debut notwithstanding — make facial recognition technology ubiquitous?
That depends on whom CIOs turn to for insight. Think of Apple’s iPhone X as a Rorschach test of our hopes, fears and cynicism about the future.
On-chip AI, Face ID
For Forrester Research analyst Brandon Purcell, Apple’s new augmented reality (AR) capability ranks behind the real game changer for CIOs in Tuesday’s news: “The biggest piece is this neural engine, which actually sits on the device itself,” said Purcell, who covers artificial intelligence (AI) for the research company.
“It’s a big deal because it allows artificial neural networks, which are the reason for all the hype around AI today, to run on the phone,” he said.
Neural networks are sophisticated and computationally intensive algorithms that “you had to call to the cloud” in order to use in an app, he said. Combined with Apple’s Core ML framework for machine learning — a capability Apple downplayed Tuesday — “the neural engine and the ability to process neural networks on an iPhone, I think, is going to completely revolutionize apps.”
A CIO’s app development team will be able to incorporate machine learning into apps on the iPhone without worrying about performance degradation. And going forward? Well, he advised businesses start training now for the next level of customer engagement powered by AI: conversational computing. “CIOs should be thinking about how they can help their business stakeholders provide conversational experiences with their brands,” he said.
For example, the chatbots many banks deploy now to field simple queries from customers, when powered by embedded AI, will soon be seen by customers as trusted personal assistants — indeed, as able to give personalized advice on how best to save money or pay back a college loan as a banker in an actual branch.
This kind of conversational computing, as Purcell called it, requires that CIOs understand how to harness massive amounts of unstructured data and use machine learning — in the cloud and on the “edge,” as Apple is doing with its new device.
“We’ll see some stumbles there, of course. It takes a while to perfect these things; you need to train them on data, and that means there are going to be some bad customer experiences that will probably be well-publicized,” he said. “But this is where banking is going and where all businesses are going.”
He predicted Apple’s Face ID feature, enabled by the neural engine, will also prove to be transformative. “Given the ubiquity of iPhones, this is going to become a ubiquitous feature and is eventually going to bring about universal acceptance of facial recognition.”
CIOs must begin now to figure out how to use facial recognition as a tool for employees and customers, he said — and how they are going to store this incredibly sensitive data.
Apple Watch, the ARKit effect
Jonathan Reichental, CIO of the Palo Alto city government and a leader in urban tech, watched the whole presentation this week. He said he believes the new Apple Watch may have a bigger impact on the enterprise than the iPhone X. “I think the cellular addition to the smartwatch was one of the more profound things that happened,” he said. He expects a wave of innovation will emerge from users having computer power and the internet on their wrists.
“It’s a little ugly now — I wouldn’t get it,” he said, referring to the current design, “but I do think that now that they have figured out how to miniaturize all the technology, you’re going to see better designs in the future.”
He said he also believes Apple’s mainstreaming of augmented reality is a “big deal.” He cited the demo of IKEA’s iPhone X augmented reality app that allows customers to picture items from its catalog in their homes. “Up until now, augmented reality has been a bit of a tease,” Reichental said.
The AR technology displayed by IKEA marks a new era. When the sofa projected into your living room no longer wobbles, but sits just where you put it, or the shoes you select from a virtual catalog really look like they’re on your feet, customers will start to trust the technology. That changes not only how retail works, but how reality is perceived, he said.
Gartner analyst Tuong Nguyen said he expects the ARKit will raise awareness and the “overall tide of the augmented reality market,” precisely because of Apple’s ability to make tech easy, fun and compelling for users.
“ARKit brings that acknowledgement of AR to the industry. On top of that, you’re going to have the largest base for AR — all these iPhone users,” he said.
Apple, true to form, did not invent the technology; the company may even have ceded ground in AR over the past year to Amazon and Google, Nguyen said, but the Apple imprimatur remains powerful. “Apple tells you what’s cool and when it’s cool.”
Ten years ago
Reichental, for one, was taken aback by the reaction of many colleagues to Apple’s news this week. “I am surprised by how many were down on it — ‘I don’t see anything interesting; it’s sort of boring.’ ‘Wow,’ I was thinking, ‘are you so immune to the incredible brilliance of what’s been done?'”
The new Apple campus and gorgeous Steve Jobs Theater were something to marvel at, he said, and the presentation — with stunning video — not to be taken for granted.
“My view is that Tuesday was everything that is great about American innovation and design — just beautiful,” said Reichental, a native of Ireland.
Does Apple’s iPhone X represent the type of radical change ushered in by the debut of the iPhone a decade ago? Perhaps not, he said, but it’s early to say.
“I remember that presentation 10 years ago like it was yesterday. I think we were pretty happy then that Apple finally had a viable phone,” he recalled. The company had been working with Motorola on the RAZR, “and it wasn’t very good.” The inaugural iPhone was a different matter — very cool and the touch feature, in particular, representing a “pretty dramatic” change.
But it wasn’t until the company decided to open up its app ecosystem that it became clear that the iPhone would change the world, creating new businesses, billions of dollars in economic value and, of course, bringing enterprises and enterprise computing onto the phone. “There is not a mature enterprise vendor that doesn’t have a mobile app version of its solution.”
Seeing the future
Jonathan ReichentalCIO for the city of Palo Alto
The lack of enthusiasm for this week’s events on the part of some naysayers, Reichental chalks up to a lack of imagination. “It’s one of those things, for a lot of us, that it’s only when we see the application of the tech that we realize how profound it is. But up until that time, we can’t quite grasp it,” he said.
A failure of imagination can be a career-killer for IT exes, Reichental said. Certainly, it’s not easy to foresee the implications of emerging technology for enterprise IT, consumer tech especially. CIOs must evaluate the applicability of Apple’s iPhone X in between everything else they have to deal with. But the people who design these phones are thinking day in and day out about what these devices can do, and it behooves CIOs to remember that.
Analyst Johna Till Johnson, of Nemertes Research, came away from this week’s news seeing Apple’s iPhone X is “useful as a visionary tool” for reimagining the endpoint.
“You can pack so much computing power into these devices that they’re really not a phone anymore,” she said. “If you’re smart, you take the device as a vision of the future and recognize that’s the direction we’re going in.”
CIO news roundup for week of Sept. 11
Here’s what else happened outside the bubble of Apple’s iPhone X:
Equifax to be hit with first state lawsuit. Equifax shares plunged 15% Wednesday after Massachusetts Attorney General Maura Healey announced plans to file a lawsuit against the credit-reporting company. The lawsuit will claim that Equifax didn’t maintain proper safeguards to protect consumer data, violating the state’s consumer protection and data privacy laws. “In all of our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen. My office is acting as quickly as possible to hold Equifax accountable for the risks that millions of consumers now face,” Healey said in a statement. So far, over 50 class-action lawsuits have been filed against Equifax as a result of the data breach that exposed the personal and financial data of 143 million customers.
Microsoft unveils new cloud security service. Microsoft announced Thursday it has teamed up with chipmaker Intel to offer a new cloud computing service dubbed Azure Confidential Compute. The new Microsoft Azure service is focused on ensuring data security in the cloud by encrypting data while in use. “This means that data can be processed in the cloud with the assurance that it is always under customer control,” Microsoft Azure CTO Mark Russinovich said in a blog post. With confidential computing, customer information is placed in a virtual enclave that prevents anyone but the customer from accessing the data, Microsoft touted.
Samsung’s $300 million autonomous driving fund. The electronics giant has unveiled the Samsung Automotive Innovation Fund created to support the development of connected cars and autonomous vehicle technologies. Samsung also announced the establishment of a new strategic business unit focusing on developing autonomous and advanced driver-assistance systems. The new unit was established by Harman, a company that Samsung acquired in March. “The Autonomous/ADAS Strategic Business Unit and automotive fund reflect the company’s commitment to the values of open innovation and collaboration,” Young Sohn, president and chief strategy officer of Samsung and chairman of the board at Harman, said in a statement. The news comes just two weeks after Samsung received approval to test self-driving cars on California roads.
Assistant site editor Mekhala Roy contributed to this week’s Searchlight news roundup.