|
Some more in-depth information on the root password issue: https://objective-see.com/blog/blog_0x24.html Bonus HN comment: If I am understanding this correctly: Any existing but disabled account (an account with no shadow hash) will be upgraded to an account with a shadowhash. Normally this is fine, because it is an in-memory upgrade that allows the authentication code to run. And then, because of a brain-dead if check, whatever password the user attempted to use is saved as the shadowhash for that account, permanently enabling the account with the password that was being tried. In this case, that means a blank password. This allows a subsequent authentication with that same password to succeed. This accounts for the initial need to repeat the login multiple times.
|
# ? Nov 29, 2017 16:43 |
|
|
# ? May 9, 2024 15:54 |
|
The comment has it slightly backwards. It wants to save it as a shadowhash ('upgrade' the account, it's not just in-memory), but the verify crypt password routine returns SUCCESS for any password for a disabled account. So, the following code was told the password entered is the correct password, and hashes that - since it can't have any other source for the plaintext. Thereby creating the shadowhash entry for root with the entered password and enabling the account. As the blog points out, obviously, the verify crypt password function should be failing, not succeeding. That's a pretty big 'oops'.
|
# ? Nov 29, 2017 17:28 |
|
Security Update 2017-001for High Sierra just came out to address the issue.
|
# ? Nov 29, 2017 17:30 |
|
Apple did something literally overnight for once, other than ship an iPhone? Cool. edit: no reboot required
|
# ? Nov 29, 2017 17:30 |
|
Star War Sex Parrot posted:Security Update 2017-001for High Sierra just came out to address the issue. https://support.apple.com/en-us/HT208315
|
# ? Nov 29, 2017 17:34 |
|
Make sure you check the Build Number to make sure you were updated, the patched macOS will report Version 10.3.1 (17B1002) I rebooted just to make sure the patch stuck; High Sierra acts as if it just got a major update or you signed on as a new user (boots to Analytics screen, then says your account has been setup again.)
|
# ? Nov 29, 2017 18:02 |
|
I just confirmed for you: with no reboot, that is the build shown, and the exploit no longer works.
|
# ? Nov 29, 2017 18:04 |
|
Binary Badger posted:I rebooted just to make sure the patch stuck; High Sierra acts as if it just got a major update or you signed on as a new user (boots to Analytics screen, then says your account has been setup again.)
|
# ? Nov 29, 2017 18:04 |
|
Is the update forced or do you have to manually click stuff/enter password? Just curious, not actually trying to apply it.
|
# ? Nov 29, 2017 18:26 |
|
Shaocaholica posted:Is the update forced or do you have to manually click stuff/enter password? Just curious, not actually trying to apply it. Haven’t you heard you don’t need passwords in Mac OS
|
# ? Nov 29, 2017 18:35 |
|
Comfy Fleece Sweater posted:Haven’t you heard you don’t need passwords in Mac OS Lol, everyone please apply the patch using the exploit.
|
# ? Nov 29, 2017 18:37 |
|
Shaocaholica posted:Is the update forced or do you have to manually click stuff/enter password? Just curious, not actually trying to apply it. nope, one click in the App Store, no fuss, no muss. Also, if you hate the Mac App Store with all your heart, you can download the security update by itself here: https://support.apple.com/kb/DL1942?locale=en_US Also rather annoying that if you download High Sierra from the App Store, it's still the image of 10.13.1 from October that still has the exploit unpatched. Binary Badger fucked around with this message at 00:29 on Nov 30, 2017 |
# ? Nov 29, 2017 19:17 |
|
"Apple" posted:MacOS Security: Courage At Its Root
|
# ? Nov 30, 2017 08:33 |
|
orApple posted:MacOS Security: Rooted in Courage
|
# ? Nov 30, 2017 08:52 |
|
LMAO the security fix broke File Sharing Apple's software teams need to step their games up. iOS 11 is the buggiest i've ever seen, so unbelievably bad and then you have this security issue with High Sierra was it for this Stebe died?
|
# ? Nov 30, 2017 14:53 |
|
ios 11 is a flaming pile of dogshit
|
# ? Nov 30, 2017 14:56 |
|
Quantum of Phallus posted:LMAO the security fix broke File Sharing It's a security feature to keep your files safe!
|
# ? Nov 30, 2017 14:57 |
|
Bob Morales posted:ios 11 is a flaming pile of dogshit The .0 release was legit embarrassing.
|
# ? Nov 30, 2017 15:03 |
|
I'm not having any issues with iOS 11 so far..
|
# ? Nov 30, 2017 15:05 |
|
Take iOS discussion to iOS threads where it belongs. Meanwhile, if your File Sharing is broken, here's the fix: https://support.apple.com/en-us/HT208317 Apple posted:Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1 Hair Force One should be profusely apologizing for this poo poo on his watch. Binary Badger fucked around with this message at 17:28 on Nov 30, 2017 |
# ? Nov 30, 2017 17:25 |
|
Binary Badger posted:Hair Force One should be profusely apologizing for this poo poo on his watch. lol that name will never not be funny
|
# ? Nov 30, 2017 17:28 |
Apple Maps 1.0 led to high-profile firings as I recall.
|
|
# ? Nov 30, 2017 17:29 |
|
Binary Badger posted:Hair Force One should be profusely apologizing for this poo poo on his watch. Take watchOS discussion elsewhere please
|
# ? Nov 30, 2017 17:33 |
|
I wonder why the Kerberos local key distribution center (what is that even) needs to be re-initialized because Apple is now checking the error code of the verify crypt password function in the crypt->shadowhash user upgrade routine. Somehow I think writing operating systems is hard
|
# ? Nov 30, 2017 17:41 |
|
Last Chance posted:Take watchOS discussion elsewhere please Apple posted:Craig Federighi is Apple’s senior vice president of Software Engineering, reporting to CEO Tim Cook. Craig oversees the development of iOS, macOS, and Siri. His teams are responsible for delivering the software at the heart of Apple’s innovative products, including the user interface, applications and frameworks. So yeah, he should wear a toupee or something to show his shame.
|
# ? Nov 30, 2017 18:12 |
|
Binary Badger posted:So yeah, he should wear a toupee or something to show his shame. it was a joke because you were backseat modding and said "on his watch"
|
# ? Nov 30, 2017 18:16 |
|
Last Chance posted:it was a joke because you were backseat modding and said "on his watch" Ok now I get it Binary Badger fucked around with this message at 00:14 on Dec 1, 2017 |
# ? Nov 30, 2017 18:29 |
|
Apple updated the Security Update to include the fix for file sharing. A totally patched 10.3.1 system should now have build number 17B1003.
|
# ? Nov 30, 2017 21:51 |
|
Binary Badger posted:Apple updated the Security Update to include the fix for file sharing. Great, File Sharing is fixed but now I can't print. Just kidding, but maybe not?? Who knows what's broken now
|
# ? Nov 30, 2017 22:36 |
|
I'm going back to Snow Leopard
|
# ? Nov 30, 2017 22:41 |
|
Bob Morales posted:I'm going back to Snow Leopard I’m going back to the PowerBook G4 you sent me
|
# ? Nov 30, 2017 22:42 |
|
I'm going back to Geoworks Ensemble pray for me
|
# ? Nov 30, 2017 22:59 |
|
I'm going back to college.
|
# ? Nov 30, 2017 23:04 |
|
I'm never going back, and you can't make me!
|
# ? Nov 30, 2017 23:05 |
|
never left OS2, suckers
|
# ? Nov 30, 2017 23:24 |
|
I'm digging my Apple //e out and never booting anything but Paul Lutus's GraForth. 3D graphics, 1 KHz scratchy music, and seven colors all in glorious 280 * 192 resolution
|
# ? Dec 1, 2017 00:17 |
|
oh gently caress guys another one https://www.reddit.com/r/VintageApple/comments/7gjnig/reset_technique_for_os_9_mac_os_setup_assistant/
|
# ? Dec 1, 2017 01:07 |
|
pzy posted:oh gently caress guys another one lol
|
# ? Dec 1, 2017 01:09 |
|
Binary Badger posted:I'm digging my Apple //e out and never booting anything but Paul Lutus's GraForth. Will it run on my Apple ][ (INT, no FP)?
|
# ? Dec 1, 2017 04:20 |
|
|
# ? May 9, 2024 15:54 |
|
Runs on Apple ][, Apple ][ Plus with only 48K, so yeah, Integer Basic is fine. (GraForth only lets you use integers anyway.) Will also run on clones like Franklin Ace, Laser 128.. here's video of the GraFORTH demo running on a Russian Apple ][ clone! https://www.youtube.com/watch?v=4Fay38pUU7Y All in 1 MHz and no hardware GPU.. Binary Badger fucked around with this message at 06:50 on Dec 1, 2017 |
# ? Dec 1, 2017 06:40 |