Apple released patches to address vulnerabilities in the High Sierra.
Apple had to rush in to make a quick update on serious vulnerabilities in macOS. The vulnerability hole was so serious that it allowed anybody who has access to Mac can bypass the system login and be the root account.
The macOS High Sierra vulnerability is so bad that it literally puts your personal data at risk. Lemi Orhan Ergin a Developer who discovered this flaw called up the Apple Support and sought their opinion after he discovered that anybody with physical access to Mac machine can access the system and change the files without admin credentials.
User’s who have not changed their root password or disabled guest user account are open to vulnerability. Apple has released instruction on how to secure yourself, till the patches are ready.
An Apple spokesperson had issued a statement, where they said “We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Anyway, The update comes little more than a week after Apple realized the potential risk it can be to thousands of users across the world. The High Sierra update of this week addresses a total of 22 CVE-listed flaws of the macOS operating system..Eight flaws are patched in macOS Kernel and will allow code execution with system privileges if targeted.
Trevor Jacques the Toronto researcher found the flaw CVE-2017-13826 in which the macOS Screen Sharing Server ‘IAmRoot’ would let anyone with screen sharing access to control a Mac with root privileges, courtesy to the error in the permissions handling.
Three vulnerabilities in the Intel Graphics Driver found by Google Project Zero that allowed the hacker to wreck the system or read the kernel memory content.
In the macOS Mail app, a bug (CVE-2017-13871) which allowed encrypted messages to be sent out unencrypted, it also allowed for the messages to be intercepted and read.
Mac user on the older version will have a separate update on Sierra, this will be followed by updates for iTunes on Windows.
Hope with the latest patch Apple address the vulnerability that was present in the macOS High Sierra as well as the developer and public beta version.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.