There's an embarrassing and unsafe security hole in the latest Mac software


That is the full Unix root account, which has superuser privileges that enable it to see and modify any file in any account. In our tests, this works regardless of whether the current user is an administrator or not. You can do this from the user login screen. Select Open Directory Utility click the lock icon in the Directory Utility window then enter your admin name and password again.

Without explaining what the actual bug is (we don't want to make it any easier for potential hackers than this already is, and you can find it on Twitter pretty easily), someone can login to a Mac by typing a word in the login field, leaving the password field blank, and attempting to log in several times. And, as most security experts would attest, physical access will eventually trump any logical security you may have in place. I've confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. There are likely many more ways that someone taking advantage of the issue could wreak havoc on a Mac desktop or laptop.

To protect your computer, you'll need to create a root password.

Apple has not yet officially fixed - let alone commented on - this critical bug.

Currently, there is no official fix from Apple regarding the issue.

Читайте также: TIME Magazine Refutes Donald Trump's 'Person of the Year' Claim

Enter "root" again with no password. Users can prevent an attacker from exploiting a bug by creating a "root" account themselves and giving it a custom password.

Once in the "Join" menu, click on "Open Directory Utility".

The workaround right now according to the Twitterverse, is to set a root user password.

Let us know how it goes for you, and stay tuned for Apple's macOS update soon...

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2017 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог