A common assumption is that Macs are more secure than Windows PCs, but the discovery made by Developer Lemi Ergan may be causing people to rethink. A flaw in High Sierra (macOS 10.13), allows users to gain admin rights by logging in as 'root'... without a password.
That's right, if you leave the password field blank in the authentication dialog box and click enter a few times, you're in. Simple as that. A pretty major and embarrassing slip-up from a company like Apple. So how did it happen?
This is a basic bug that should have been spotted early on in the testing stages of the most immature software, let alone in the operating system of a tech giant like Apple. It serves as a harsh reminder to users that they can't rely on inbuilt security or a brand name alone.
"Defendpoint for Mac contains numerous security measures to prevent tampering and abuse and these will prevent this vulnerability from being exploited."
The fact that this bug can only cause damage to a device that's physically or remotely accessed by a trusted user shouldn’t be of comfort. In a business setting in particular, over privileged users are a significant threat to the security of data, as it only takes one employee with over privileged access to a system or sensitive information to cause a breach. Issues like this bug in High Sierra make this far easier, and significantly increase the risk of breaches to businesses.
What makes this worse is that many senior executives in organisations have Macs, and the irony is that they have the least managed, least secure device with the most access to data. So what can you do?
Controlling privileges on macOS
The challenge of controlling privilege on macOS has been growing in recent years as more companies adopt macOS or allow BYOD. It is common practice for macOS users to be given admin accounts as standard, however, this introduces a significant attack surface and makes the systems harder to manage. Just as with the Windows platform, removing admin rights and implementing least privilege is the key to securing and managing endpoints.
Avecto Defendpoint for Mac offers enterprise grade privilege management for macOS and allows organisations to remove the risk of admin users. Defendpoint for Mac contains numerous security measures to prevent tampering and abuse and these will prevent this vulnerability from being exploited out of the box. This means that users who have Defendpoint for Mac V5 and higher installed are automatically protected.
The short clip below show how Defendpoint software is able to effectively mitigate this issue before it can even become a widespread problem.
This shows how the issue looks on a machine operating without Defendpoint installed and then with Defendpoint installed
As you can see, our product effectively prevents the attack from occurring and nips this security issue in the bud.
For users without Defendpoint for Mac it is really important to change the root password to prevent this issue. This can be done by running the following command from the macOS terminal "sudo passwd -u root" then setting a new secure password.
Remember: it only takes one employee with needless access to sensitive information to cause a breach. Removing admin rights and implementing least privilege is the key to securing and managing endpoints.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.