Originally published at: http://appletalk.com.au/2017/12/friday-morning-news011217/
A serious security flaw within macOS that allowed a disabled root account to become enabled with a blank password was fixed by Apple yesterday, and will soon be automatically applied to machines running macOS High Sierra 10.13.1, if it hasn’t already. Apple’s notes for Security Update 2017-001 says the issue was caused by a “logic error”, with Apple also sharing a statement to press outlets containing an apology for the error and the promise of auditing the development process to help prevent this kind of issue from happening again.
The story of how the disabled root account can become enabled with a blank password was shared on Apple’s support forums more than two weeks ago. While revealing this kind of security issue via a public tweet is far from ideal, it’s chilling to think about the damage this could have caused if it went undetected for much longer, not to mention the impact it could have had if it was around ever since the first macOS High Sierra beta.
A technical explanation of why a blank password enables the root user account says that macOS was, for whatever reason, enabling a disabled account with whatever password you specify, even if that password is blank. It’s why you have to click login twice to replicate the issue — the first click enables the account, and the second logs you in with a blank password. Callstacks and detailed execution flows are on Patrick Wardle’s blog.
It seems that a consequence of shipping a security update as fast as Apple did means that some things will get broken along the way, and yesterday’s victim was file sharing. Apple’s support article on the topic asks you to run a one-liner in Terminal to restore file sharing functionality after applying Security Update 2017-001.
Six Colors has more information on Apple’s automatic update process. You’re probably already familiar with how Apple’s malware definitions get updated as part of Gatekeeper, and this process allows security updates to be installed with no user interaction and no reboot required. For serious security issues like the above, that’s a good thing.
Apple has launched their Heart Study app, which will collect data about heart rhythms and notify users who may be suffering from undiagnosed irregular heart beats or atrial fibrillation. Unfortunately, that’s where the good news ends — for now, the Apple Heart Study app is only available in the US to people aged over 22, who have a series 1 Apple Watch or later. Here’s hoping it comes to other regions soon.
Also in the US, the FDA has approved the first medical accessory for the Apple Watch. AliveCor’s KardiaBand is an EKG sensor for the Apple Watch, which combines the built-in heart rate sensing of the Apple Watch with an attached sensor on the watch band to provide EKG readings wherever, whenever.
Michael Tsai has commentary from the wider Apple blogosphere about how the small issues we’ve seen recently affect our perception of Apple, and why they need to be fixed. It’s all well and good that Apple’s trying to make things better, but when bizarre autocorrect suggestions start showing up on iOS keyboards all over the world, you kind of have to wonder if it’s all worth it.
Pixelmator Pro is out for the Mac, and MacStories has a bunch of first impressions that say it’s a powerful image editing tool that is built from the ground up with the latest macOS technologies, with a platform-specific focus that means features you can’t find in other image editors. Introductory pricing starts at US $59.99.
Marco Arment has released Forecast into the wild. It’s his podcast MP3 encoder with tools for the podcast publishing process, including the ability to add chapters.