360 Degree Cyber Security, LLC

Major security flaw in Apple devices running High Sierra is easily exploited.

Major security flaw in Apple devices running High Sierra is easily exploited.

November 28, 2017 – If you have Apple devices running High Sierra, there is a critical vulnerability that will allow anyone to access the device if they can get their hands on it.  All that needs to be done is log in as guest.  Then via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. Try it for several times. When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine.

The following can be done to prevent the problem from occurring prior to Apple releases the fix.

DISABLING GUEST USER ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Guest User
Step 4 | Uncheck Allow guests to log in to this computer
CHANGING ROOT PASSWORD ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Comments Are Closed!!!