Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity

    Apple to Patch Yet Another macOS Password Security Flaw

    By
    Sean Michael Kerner
    -
    January 11, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Apple

      A security researcher is warning of a new password bypass vulnerability in Apple’s macOS High Sierra desktop operating system, though the flaw is not nearly as severe as other issues that Apple has patched recently.

      Security researcher Eric Holtman publicly reported the password bypass issue on Jan. 8 by. Apple reportedly already has a fix in place for it as part of the macOS 10.13.3 update, which is in beta testing.

      “The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password,” Holtman warned in an advisory.

      The AppStore preferences menu in macOS High Sierra provides a number of options for users, including requiring a password to be used for app and in-app purchases. The use of the password lock is intended to provide a mechanism that prevents any user with local access from changing the preferences without entering the proper password.

      While enabling users to bypass what should be a set of password-secured options isn’t a good idea in any circumstances, the actual risks are somewhat muted. Holtman wrote in the advisory that the flaw only works for users logged in as a local administrator on a macOS High Sierra system. In a series of Twitter messages on Jan. 10 directed at multiple media outlets, Holtman emphasized that the issue is not critical. He noted that any logged-in admin user could easily unlock the AppStore preferences settings if they chose to do so.

      “This needs admin access to the machine already and only affects the AppStore prefs,” Holtman wrote. “All other system prefs do not unlock this way. Likely an oversight in the security changes in 10.13.x.”

      The issue, however, is that multiple other password security oversights have been uncovered in macOS High Sierra 10.13.x in the months since the operating system was released in September 2017.

      Barely a week after macOS High Sierra debuted, Apple issued a supplemental security update for two critical password-related vulnerabilities in the OS. In November 2017, Apple once again released an update for macOS High Sierra, after a researcher reported via Twitter that anyone could log in as “root” with an empty password on macOS High Sierra. 

      To be fair, the AppStore issue that was reported on Jan. 8 does not represent as much risk as the November 2017 issue, identified as CVE-2017-13872. With CVE-2017-13872, Apple warned that an attacker could bypass administrator authentication without supplying the administrator’s password. With the AppStore preferences issue, an attacker would already need to have root access to a system.

      What is worrisome though is that these issues exist in the first place and keep popping up. It’s hard enough to keep passwords safe in the modern threat environment, but when system preferences that should be secured by passwords are not actually secured, then there is reason for concern.

      It could just be a set of unfortunate coincidences that have led to all the different password-related issues with macOS High Sierra. Then again, as Holtman wrote, it could just be an “oversight.” Considering the critical role that passwords continue to play in modern IT security, though, having an oversight in password technologies isn’t particularly reassuring.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×