For the third time in recent months, big problems have been discovered with macOS High Sierra.
In September, a security researcher named Patrick Wardle discovered an exploit to snag plaintext passwords from Keychain. Two months later, software developer Lemi Orhan Ergin realized that gaining root access to High Sierra machines was essentially as easy as inputting the username “root,” no password required. And now, Macrumors reports, a gaping hole has been found that could affect a Mac user’s security.
A bug report on Open Radar from earlier this week—affecting version 10.13.2—allows any user to change the App Store system preferences without a real password, in five steps or fewer:
1) Log in as a local admin
2) Open App Store Prefpane from the System Preferences
3) Lock the padlock if it is already unlocked
4) Click the lock to unlock it
5) Enter any bogus password
If a machines is already unlocked, someone with malicious intent could easily turn off “automatically check for updates,” leaving a machine’s current bugs unpatched. Is it as serious a vulnerability as gaining root access? Of course not. But the purpose of a password field is to deny entry to those without it—a basic feature of modern computing. Fortunately, according to Macrumors’ tests, the issue appears to be resolved in the forthcoming 10.13.3 update—which you wouldn’t be alerted to if automatic updates is turned off.
2017 was a grim year for Apple, as bugs, vulnerabilities, and public gaffes piled up against the company that built its image on slick, highly designed products. Hopefully the App Store settings exploit isn’t an indicator of what’s to come.