The issue, discovered in the MacOS High Sierra operating system for laptops and desktops that was released in September, allows people to enter the word "root" when prompted for a username, and provide no password when logging on to the device.
It appears the flaw is isolated to High Sierra 10.13.1 (17B48).
The exploit will not longer work, because your system will already have a root account enabled with an actual password attached to it.
Even when it's not possible to enter a user name at the main macOS login screen, the flaw can be exploited via the system preferences settings.
Enlarge ImageA demonstration of the security flaw. CNET
Apple is yet to comment, but I suspect a quick trip to the locksmith is in order. The attacker needs only to head to Users & Groups, click the lock at bottom-left, then try to log in as "root" with no password.
To do so, open the System Preferences and click on the "Users & Groups" option.
Currently, there is no official fix from Apple regarding the issue.
In the dialog that pops up, click on open directory utility, and from the tool's menubar, select the edit item, and then change root password.Читайте также: Florida finalizing deal with Dan Mullen to be next head coach
Some users are reporting that you can change your root password to fix the issue, but Apple has not issued official guidance yet.
Click the lock icon in Directory Utility's window and authenticate. Changing the root password is the workaround for now. (The company maintains an invite-only bug bounty program.) Despite its incredibly alarming simplicity, The Verge is not reproducing the steps to bypass High Sierra's login screen here.
You can patch this problem right now by creating a root account manually and giving it a secure password.
Once a password has been set for the "root" account, the flaw that allows a person to login as "root" with no password will no longer work.При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2017 Copyright.
Автоматизированное извлечение информации сайта запрещено.
Код для вставки в блог