Apple has said it is working to fix a serious security flaw in its Mac OSX operating system was uncovered.
The bug allows anyone with access to a Mac running the latest OSX High Sierra to gain full administrator access to the computer using the username “root” and no password.
An Apple spokesman explained a workaround to MacRumours that helps OSX users secure their computers until the patch is released:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
The security issue, which was discovered by Turkish developer Lemi Ergin, would give anyone with physical access to a computer the ability to view all files and folders on the device. Security researchers have warned Apple users to keep their MacBook within sight or stored in a secure location at all times until Apple releases a fix.
Ergin faced criticism for publicly announcing the bug on Twitter, rather than following the traditional process of “responsible disclosure”, where researchers privately inform a company about a security vulnerability and give them a period of time before making their discovery public. This process protects users, as it generally means that companies like Microsoft or Apple will have issued the update to secure their systems before hackers become aware of the flaw.
Apple has long claimed that its software is inherently secure, but that has never been true. For years Apple computers were more secure, but that was because their market share was so small that few hackers were interested in writing software to attack the company’s userbase. However, since Apple’s resurgence over the last decade, the number of malware targeting OSX users has been on a steady rise.
Whilst not malware, this latest security exploit demonstrates that there is no software that is totally secure, especially software as complex as a modern computer operating system.
Lee Munson, security researcher for Comparitech.com, commented:
“It wasn’t that long ago that Apple was winning the desktop security space by a large margin, primarily through the advantage of obscurity versus its Windows competition.
“Times have changed though and we can no longer say that Macs don’t get viruses and nor can we say that they are immune to potentially very serious bugs either.
“The latest of those bugs to emerge is about as serious as it gets too; the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to.
“Of course, this is all mitigated by the fact that remote access can only be gained if the bug is first leveraged through physical access to the device, so home users have very little to worry about and businesses should also be okay, as long as they are on top of access control and visitor policies.
“Even so, all Mac owners would be well advised to install the resultant patch, just as soon as it becomes available.”
