Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy. No need to do that any more! Just enter “root” instead of your user name and hit enter. After a few tries, it should log right in. There’s no need to do this yourself to verify it. Doing so creates a “root” account that others may be able to take advantage of if you don’t disable it. The bug appears to have been first noticed by Lemi Orhan Ergin, founder of Software Craftsman Turkey, who noted it publicly on Twitter. Needless to say, this is incredibly, incredibly bad. Once you log in, you’ve essentially authenticated yourself as the owner of the computer. You can add administrators, change critical settings, lock out the current owner, and so on. Do not leave your Mac unattended until this is resolved. So far this has worked on every preference panel we’ve tried, and when I used “root” at the login screen it immediately created and pulled up a new user with system administrator privileges. It didn’t work on a 10.13 (17A365) machine, but that one is also loaded up with Aol bloatware — sorry, Oath bloatware — which may affect things. A potential fix is to log into the “root” account and change its password to… well, anything. But the safest thing is to not expose your device to any unfamiliar environments until the bug is fixed. We’ve asked Apple for comment, but I’m guessing they’re pretty busy. We hope they have a fix soon because no one should leave their Mac unattended until this is resolved.
4 Comments
Chatbots. They’re usually a waste of your time, so why not have them waste someone else’s instead? Better yet: why not have them waste an email scammer’s time. That’s the premise behind Re:scam, an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time. You can see a few sample dialogues in the video above, or check out a longer back-and-forth below. It looks infuriatingly effective. Using chatbots to give email scammers a taste of their own medicine isn’t that new. And although Netsafe has made a very fancy looking video promo for their bot, the technology behind it is relatively simple; relying more on pre-programmed conversational misdirects than sophisticated artificial intelligence. Really, though, that’s all it takes. Another famous chatbot time-waster is “Lenny,” which is designed to waste telemarketers’ time, and does so without any AI or speech recognition component. Instead, Lenny uses just 16 pre-recorded snippets of dialogue, each of which is as vague and ambiguous as possible. Lenny simply waits until there’s a gap in the conversation, then plays one of its bits of dialogue, cycling through all 16 in various patterns. The technique is surprisingly effective, as the video below shows. (You’ll feel sorry for the caller before long.) But let’s just wait until the scammers have their own bots, too. That’ll be the future of cybersecurity: millions of bots battling back and forth behind-the-scenes, running interference for us. That is, until the bots stop fighting one another and decide to take on their common enemy instead. Let’s hope we can waste their time just a little longer. With a crop of non-security Office updates due today, a big dose of security patches expected in a week, and a known bug in the KB 4041686 Win7 Preview, now’s a good time to make sure you have Automatic Update set so it won’t deal you a nasty surprise.Last month we had no end of problems with Microsoft’s Windows and Office patches. If your machine was attached to a corporate Windows Update server, and your admin approved Windows patches for immediate distribution, your PC may have joined a sea of blue screens. There were lots and lots of additional gotchas.
This month, we already know that KB 4041686, the 2017-10 Win7 Preview of a Monthly Rollup, has a retrograde bug in it that clobbers SFC scans. It’s not at all clear if Microsoft is going to fix that bug before the Preview becomes the for-real Monthly Rollup. We also know that last Thursday's attempt to fix a bug introduced in the October security patches failed miserably, with Microsoft surreptitiously pulling KB 4052233, 4052234, and 4052235 and erasing them from the KB list, the catalog, and even the update histories. Heaven only knows if the next iteration of that abomination will succumb to a similar fate. Later today, we should see a dozen or more non-security patches for Office. You don’t need any of them right away. A week from now, the security fixes should roll out. As I’ve argued many times before, it just makes sense to hold off installing Windows and Office updates until the major first-round bugs get shaken out. Let the unpaid beta testers sacrifice their machines first. If your PC is attached to a Windows Update server, buy your admin a cup o’ coffee and gently make sure they don’t have WSUS or SCCM set to automatically approve updates as soon as Microsoft dishes them out. If you’re running Win7 or 8.1, the method for blocking updates isn’t difficult. Disable Automatic Update in Vista, Win7 or 8.1 If you’re running Windows 10 Pro Creators Update (version 1703) or Fall Creators Update (1709), the method’s even easier: telling Auto Update to back off just takes a couple of clicks. See Steps 7 and 8 in 8 steps to install Windows 10 patches like a pro. But if you have any other version of Win10, you aren’t so lucky. Win10 Home users, and those with earlier versions of Pro, are considered fair fodder for the unpaid beta-testing cannons. Take a minute right now and make sure Automatic Update is turned off. |
Archives
May 2021
Legal Disclaimer:
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you. In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website. The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice. Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website. |