Software bugs are a natural effect for all companies, and there are levels of severity to those issues. A new bug was discovered in Apple's macOS operating system last week that allowed anyone admin access by entering "root" as the login and leaving the password field blank. This meant anyone without full user privileges could get unrestricted system access by utilizing this bug, which is exactly the opposite of how user authentication is supposed to work.
Jay Little, a researcher at Security firm Trail of Bits, told Motherboard,
"This is so dumb. This behavior is new so it happened because of a change, and this regression shows the change wasn't well tested if tested at all. The implications are that restricted accounts for kids or students [or enterprise users] won't actually be restricted and be able to make system-wide changes."
Several security professionals confirmed they were able to reproduce the bug on macOS 10.13. Using "root" for the login was successful when entered on the lock screen and in system preferences. However, the bug would not work on a cleanly booted Mac if the hard drive was protected with FileVault, Apple's full disk encryption.
According to Mac security researcher Pedro Vilaca, the bug unlocked the system keychain, which would allow users' passwords to be changed. The issue did not appear to work remotely, but it's recommended that users set a root password as a precaution.
Apple responded to the issue with the following:
"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
Apple released the patch, Security Update 2017-001, for devices running macOS 10.13 or 10.13.1 to fix the problem but another flaw was discovered. Wired reported that if the patch was installed on a device running 10.13, and is later updated to 10.13.1, the bug will return.
It can be fixed by reinstalling the patch, but users need to know their computers won't restart autonomously. The device will need to be restarted before the bug is patched.
What do you think of Apple's software bug? How much will this harm the company's reputation with consumers?