Apple's macOS Plagued by Yet Another Password Security Flaw

Today’s topics include the release of an Apple patch for another macOS password security flaw; 147 security vulnerabilities found in mobile industrial control system applications; the release of Lenovo’s Miix 630 “Always Connected PC” with Arm processors; and Google’s introduction of an open-source framework for testing Docker container images.

Security researcher Eric Holtman publicly reported a new password bypass vulnerability in Apple's macOS High Sierra desktop operating system on Jan. 8. Apple reportedly already has a fix in place for it as part of the macOS 10.13.3 update, which is being beta tested.

"The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password," said Holtman.

While enabling users to bypass what should be a set of password-secured options isn't a good idea in any circumstances, Holtman said the flaw only works for users logged in as a local administrator on a macOS High Sierra system and he emphasized that the issue is not critical. He noted that any user logged in as an administrator could easily unlock the AppStore preferences settings if they chose to do so.

The security of mobile applications used to help monitor industrial control system technology is severely lacking, according to a Jan. 11 report from security firms IOactive and Embedi. The researchers found 147 different security vulnerabilities spread across 34 ICS mobile applications that are used with supervisory control and data acquisition systems deployed in industrial environments around the world.

According to this year’s report, 47 percent of the mobile ICS apps had insecure data storage issues. The affected apps enabled users to store data on an SD card or on a virtual storage partition on a mobile device.

Another issue is that 38 percent of analyzed ICS mobile apps did not properly configure secure communication methods. The apps were not properly using Secure Sockets Layer/Transport Layer Security certificate validation to verify the integrity of an encrypted server connection.

Lenovo made its contribution to the "Always Connected PC" cause with the Miix 630, a 2-in-1 detachable-screen notebook PC that runs Windows on an Arm architecture processor from Qualcomm.

The 12.3-inch Lenovo Miix 630, announced at CES 2018 in Las Vegas, uses a Qualcomm Snapdragon 835 processor that can enable up to 20 hours of battery life between charges. The Snapdragon 835 is a 2.45GHz, eight-core, 64-bit chip.

When it goes on sale in the second quarter of 2018, buyers will be able to select configurations with 4GB or 8GB of RAM and up to 256GB of onboard storage that’s expandable with an SD expansion card. Prices will start at $799.99 with an included detachable keyboard and cover and a Lenovo digital pen for on-screen inking.

Google has announced the Container Structure Test framework, which gives enterprises a way to verify the structure and contents of individual containers to ensure that everything works properly before it is sent into production.

Google developers have been using the framework to test containers internally for more than a year and the company decided to release it publicly because it offers an easier way to validate the structure of Docker containers than other approaches.

Google's Container Structure Test framework supports four different types of unit level tests for Docker containers: command tests, file existence tests, file content tests and metadata tests. The new test framework reflects Google's broader commitment to make things easier for organizations to deploy and manage containers on its cloud platform.