- The Tech Night Owl — Cutting-Edge Tech Commentary - https://www.technightowl.com -

An Apple Security Reality Check

Without doubt the usual offenders among Apple critics are joyfully reporting about a serious security flaw that reared its ugly head in macOS High Sierra 10.3.1. It was a foolish mistake, the sort of mistake that might cause management to find the offenders and take some serious action.

No, I’m not suggesting they should be canned. Stuff happens. But it would probably require finding out exactly how this mistake was allowed to happen, and make sure it doesn’t happen again, and it’s clear Apple is doing exactly that.

What was the problem?

Well, if you installed the very first macOS high Sierra update, this flaw would allow you, or someone who has access to your Mac, to enable root mode without a password. Just enable root access, and it would be little different from getting an email account with your cable provider that used the default password, “password.” Well, except for the fact that you could leave the password field blank.

In Unix parlance, the root user is the king of the hill, the individual who can access your Mac’s entire file system and do anything he or she wants. As a practical matter, it’s  best left disabled, but with this bug, anyone who controls your Mac could do some nasty things. They could install a virus, copy your data, or wipe the drive clean.

But it still required such access to enable the root user which, as I said above, could be done without need of a password. Not good.

Once this flaw was discovered, Apple made quick work of fixing it by posting an online update. Says Apple:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 AM, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Clearly Apple has the damage control process down pat. Apologize for the problem, express contrition and explain what’s being done to keep similar problems from occurring in the future.

Just look at Apple’s statement again. Upon being alerted to the problem after posts appeared on various tech blogs, it took less than a day for Apple to create, test and post the fix for users of macOS 10.13.1. The speed is commendable, and harkens back to the short-lived iOS 8.0.1 update in 2014, which killed the mobile connection and Touch ID for the iPhone 6 and the iPhone 6 Plus.

Apple became aware of the problem within about an hour or so, and withdrew it. A fixed version, 8.0.2, arrived the very next day. In the meantime, the affected iPhones could be repaired with a Restore. It wasn’t permanent damage.

Now in that particular case,  even mainstream cable news talking heads attacked Apple for its lack of attention to detail, but few mentioned how quickly it was fixed.

Now the 10.13.1 fix reportedly requires redoing the root user setup process and giving yourself a password, after which you can disable it again. Most Mac users probably won’t bother and, as I said, this is not a situation that would necessarily cause them any trouble if the bug went unfixed. Once again, you have to be directly targeted by a hacker with direct access to your Mac to enable that feature.

Apple’s critics responded to the security glitch in a predictable pattern. How could Apple do such a foolish thing? Does this mean they’ve lost their ability to deliver a secure product? One critical blog I read strongly implied that this is the first time an Apple OS contained a serious security flaw which, of course, isn’t true.

With nearly every macOS update, there is a set of security fixes. Some are arcane, and can only be exploited in theory. Others are serious enough to allow hackers to gain control of your Mac without much effort. It’s not just about not having to use a root password.

In short, the belief that macOS, or any computer OS, is perfect is sheer nonsense. Again, it’s not whether the flaw exists, but how Apple reacts to the problem and how quickly the fixes can be released. Sometimes it takes weeks or months. This time it was an overnight process.

That’s about as fast as you can get in the real world1

Compare that to any serious security leak in Android. Just how quickly would Google fix the problem? And even if it were fixed overnight, how would they deploy that fix to the hundreds of millions of owners of Android gear out there?

The answer is that they won’t, unless the fix can be deployed via the Google Play app store, or to users of native Google smartphones, the Nexus and Pixel models. Otherwise, the chances that anyone will receive that patch are slim to none.

Something to think about.