Tech & Science Yet Another Password Vulnerability Has Been Found In macOS High Sierra

14:30  11 january  2018
14:30  11 january  2018 Source:   Gizmodo Australia

In the midst of complex hacking operations, here are simple tips to improve your cybersecurity

  In the midst of complex hacking operations, here are simple tips to improve your cybersecurity In the tech realm, a new year brings new gadgets — and new worries about cybersecurity as more and more security breaches are revealed.  The most recent scare, called Spectre or Meltdown, involves vulnerabilities to processing chips that date back to 1995, resulting in billions of devices that are susceptible to intrusion, says Jason Koebler, editor-in-chief of the online publication Motherboard.

Yet another password vulnerability has been uncovered in macOS High Sierra , which unlocks App Store System Preferences with any password (or no password at all). Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online.

For the third time in recent months, big problems have been discovered with macOS High Sierra . Is it as serious a vulnerability as gaining root access? Of course not. But the purpose of a password field is to deny entry to those without it—a basic feature of modern computing.

a screenshot of a cell phone© Provided by Business Insider Australia

For the third time in recent months, big problems have been discovered with macOS High Sierra.

In September, a security researcher named Patrick Wardle discovered an exploit to snag plaintext passwords from Keychain. Two months later, software developer Lemi Orhan Ergin realised that gaining root access to High Sierra machines was essentially as easy as inputting the username "root", no password required. And now, Macrumors reports, a gaping hole has been found that could affect a Mac user's security.

A bug report on Open Radar from earlier this week - affecting version 10.13.2 - allows any user to change the App Store system preferences without a real password, in five steps or fewer:

New Android Malware Variant Is Stealing Uber Passwords

  New Android Malware Variant Is Stealing Uber Passwords Security researchers have identified a new variant of Android malware that is stealing Uber passwords.The malware is a new variation on Android.Fakeapp, a common malware targeting Android devices. Previous versions of the attack have aimed to steal credit card numbers and other personal information, but the latest variant is specifically targeting Uber users.

For the third time in recent months, big problems have been discovered with macOS High Sierra . In September, a security researcher named Patrick Wardle discovered an exploit to snag plaintext passwords from Keychain.

Yet another password security flaw has been found affecting macOS High Sierra for the second time in three months. "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused.

1) Log in as a local admin

2) Open App Store Prefpane from the System Preferences

3) Lock the padlock if it is already unlocked

4) Click the lock to unlock it

August smart locks can now let the delivery driver into your home

  August smart locks can now let the delivery driver into your home Take that, porch pirates!

For the third time in recent months, big problems have been discovered with macOS High Sierra . Is it as serious a vulnerability as gaining root access? Of course not. But the purpose of a password field is to deny entry to those without it—a basic feature of modern computing.

The second unlock click then succeeds because the correct blank password has been used. Apple released a security update Wednesday to address the credential validation issue and noted that the flaw only affects macOS High Sierra 10.13.1.

5) Enter any bogus password

If a machines is already unlocked, someone with malicious intent could easily turn off "automatically check for updates", leaving a machine's current bugs unpatched. Is it as serious a vulnerability as gaining root access? Of course not. But the purpose of a password field is to deny entry to those without it - a basic feature of modern computing. Fortunately, according to Macrumors' tests, the issue appears to be resolved in the forthcoming 10.13.3 update - which you wouldn't be alerted to if automatic updates are turned off.

2017 was a grim year for Apple, as bugs, vulnerabilities and public gaffes piled up against the company that built its image on slick, highly designed products. Hopefully the App Store settings exploit isn't an indicator of what's to come.

Apple Says All Macs, IPhones, IPads Exposed to Chip Flaw .
Apple Inc. said all Mac computers and iOS devices, like iPhones and iPads, are affected by chip security flaws unearthed this week, but the company stressed there are no known exploits impacting users. The Cupertino, California-based company said recent software updates for iPads, iPhones, iPod touches, Mac desktops and laptops, and the Apple TV set-top-box mitigate one of the vulnerabilities known as Meltdown. The Apple Watch, which runs a derivative of the iPhone’s operating system is not affected, according to the company.

Source: http://au.pressfrom.com/news/tech-and-science/-51876-yet-another-password-vulnerability-has-been-found-in-macos-high-sierra/

—   Share news in the SOC. Networks

Topical videos:

This is interesting!