Apple Working on Patch for macOS High Sierra Password Security Flaw

Today’s topics include a root password vulnerability found in Apple’s macOS High Sierra platform; Apple's countersuit against Qualcomm in an ongoing court fight over patent infringement; the debut of Amazon Web Services' GuardDuty for cloud threat detection; and the expansion of the Microsoft and SAP cloud collaboration with S/4 HANA on Azure.

Apple is working on a patch for a password security issue publicly reported on Twitter by security researcher Lemi Orhan Ergin on Nov. 28. Ergin noted that he was trying to raise awareness for the issue previously mentioned but ignored in an Apple Developer Forum post on Nov. 13.

The vulnerability is that there is no root password set on Apple's macOS High Sierra operating system. This would allow any local user to get root access without entering a password. The lack of a default root password also enables access to a locked desktop with the username root and leaving the password empty.

Edward Snowden, president of the Freedom of the Press Foundation, tweeted, "Imagine a locked door, but if you just keep trying the handle, it says 'oh well' and lets you in without a key.”

Qualcomm, which has filed several patent infringement and royalty lawsuits against Apple since July, is now being countersued by Apple over alleged patent infringements involving Qualcomm's Snapdragon 800 and 820 mobile phone chipset processors.

According to a Nov. 29 story by Reuters, this latest chapter in the pair’s legal saga came as part of a revised court filing in San Diego’s U.S. District Court by Apple in response to Qualcomm's earlier legal claims. In the report, Apple is claiming that Qualcomm violated at least eight battery life patents.

Apple claims in its filing that the Qualcomm Snapdragon 800 and 820 processors, which are used in Samsung mobile phones and Google Pixel phones, infringe on those patents, the story continued.

Amazon Web Services announced on Nov. 28 the new GuardDuty managed threat detection service that is enabled via the AWS Management Console. The GuardDuty system analyzes API calls made to running virtual resources in a customer's account, to help detect anomalous activity that could indicate a potential security risk.

GuardDuty works with existing AWS services including CloudTrail, which provides activity and API usage monitoring. GuardDuty also collects Data from Amazon VPC Flow Logs to detect potential threats and to send alerts to the AWS CloudWatch service, which monitors AWS resources.

Another key integration point for GuardDuty is with the AWS Lambda serverless service, where users can automate threat remediation based on alert conditions.

Expanding on their existing strategic partnership, Microsoft will soon offer SAP HANA Enterprise Cloud on the Azure cloud computing platform. This will allow both companies’ customers to run the SAP S/4 HANA suite of enterprise resource planning applications on a secure and managed cloud.

Microsoft has agreed to this deployment for its own internal financial management needs. In turn, SAP will shift some key internal business systems, including its Concur expense management application, to Azure. Microsoft also plans to link its internal SAP S/4 HANA implementation to its suite of Azure AI and analytics services to add efficiency to its financial reporting and decision-making processes.

Satya Nadella and Bill McDermott, CEOs of Microsoft and SAP respectively, agree this partnership is mutually beneficial.