Major bug in MacOS: Users can access system without passwordLast updated on Nov 29, 2017, 10:52 am
After a series of bugs in Apple's latest iOS 11 update for iPhones, it is now struggling to deal with similar problems in the most recent Mac OS update.
This flaw in MacOS High Sierra allows users to enter the system without providing a password and even access powerful administrator rights.
This undoubtedly presents major risks.
Here's how you can protect your system.
What does the bug do?
The bug was brought to light by Turkish developer Lemi Ergin. Ergin noticed that if he entered "root" as username and left the password field blank, after hitting "enter" a few times, he gained unrestricted access to the system.
However, Ergin was criticized for unethical behavior: security professionals are expected to notify companies of bugs and give them time to correct things before going public.
How dangerous is it?
Users with root access have more power over a machine than a normal user. For example, they can even manipulate files belonging to another account on the same machine.
They could install malware or delete crucial system files, thus breaking down the machine.
Though a user would need physical access to a system, someone with unauthorized remote access could also exploit this bug.
How can you protect your system?
The key is to set a root password instead of leaving it blank. Go to Menu> System Preferences> Users & Groups.
Click on the lock icon and enter an administrator name and password.
Go to Login Options> Join> Directory Utility.
Click the lock icon, then enter an administrator name and password.
Go to Edit> Change Root Password.
Enter a new root password.
What is Apple doing about it?
Apple has announced it is "working on a software update to address this issue".
However, experts warn that in the hurry, it shouldn't lose focus on the primary goal: security.
"They will need to be careful the patch doesn't introduce some other problem as they've not had time to properly test it," said Prof Alan Woodward of the University of Surrey.