November 29th 2017
Apple MacOS High Sierra users are being urged to take precautions against unauthorised access to their computers, until Apple issues a fix to a significant security flaw, announced yesterday.
The glitch in the latest version of the Apple operating system for its computers, enables anybody to enter the word ‘root’ when prompted for a username and hitting the ‘enter’ key repeatedly until access is granted … without having to enter a password. Although it has been widely reported that this has to be done in the presence of the computer, it is thought that in at least one instance, a computer has been accessed remotely using the root login. Former CIA employee and NSA contractor Edward Snowden, commented on Twitter: “Imagine a locked door, but if you just keep trying the handle, it says ‘oh well’ and lets you in without a key.”
Steve Troughton-Smith, a Mac software developer, tweeted: “A password prompt that authenticates as root with an empty password would be a black eye for any OS. Never mind one from a security and privacy-conscious company such as Apple” (Apple’s software has a widespread reputation for being less vulnerable to malware infections and hacking than rival Microsoft’s Windows).
In a statement, Apple’s Senior Director of Corporate Communications, Bill Evans, said that the company is “working on a software update to address this issue. In the meantime, setting a root password prevents unauthorised access to your Mac.” This can be done by navigating to System Preferences, selecting Users and Groups, clicking Login Options on the left side of the menu, clicking the Join button next to Network Account Server, clicking Open Directory Utility, then clicking Edit in the Mac’s menu bar to assign a password. Instructions can also be found on Apple’s website.
Security experts have urged Apple to make sure its patch is not rushed out at the risk of introducing other problems. The University of Surrey’s Professor Alan Woodward told the BBC: “Haste and security don’t make good bedfellows.”
The flaw was discovered by Turkish software engineer Lemi Ergin, who released the revelation on Twitter (shown here), to widespread criticism that he should have approached Apple in the first instance.