I prefer to avoid upgrading a server’s operating system before the manufacturers have pushed out a few patches.

image: wood

Boy, am I glad I take this approach. I have a Mac Mini running as a server, and have been avoiding the persistent nags to upgrade to the latest version of OS X. Today, the media whooped about a newly discovered High Sierra howler of a bug: an ordinary user can create a root account without a password and login to it. This would give them total control of the machine.

There are some workarounds to block the bug, and certain conditions have to be fulfilled to do the nasty deed, so it’s not the end of everyone’s MacWorld. Even so, it really is something that should not have got past product testing. It’s not some obscure bug you can only find when fuzzing on a Thursday while a black cat orders you a pint of Guinness, it’s basic stuff. Apple should have checked that the login dialogue wouldn’t let anyone log in to a blocked account (root is normally, rightly, disabled on MacOS).

Although this bug would have made my machine a lot more vulnerable had I upgraded, it should still have been reasonably secure. My OpenBSD systems would have to be passed before getting to the Mac. Breaking in remotely would have become easier, but not stunningly easy.

A better way to abuse this bug is to use the machine in person. Here, that would mean breaking into Ego Towers and getting past the geese and the rhinoceros. Far greater problems are faced by systems administrators in schools, for example, who will have to urgently reconfigure all their Macs to block the bug before the kids realise they can exploit it so easily.

It’s worth mentioned that, although Apple allowed this exploit out into the real world, they are not fully responsible for the car crash happening now. The bug should have been reported as a CVE, allowing Apple to create and distribute a patch before it was announced. That this didn’t happen is not Apple’s fault. Mind you, it’s such an obvious bug that I’m not so surprised the person who reported it did so in such a naïve way: they may well not have known any better.

I think I’ll wait a couple more patch cycles before I consider upgrading.

UPDATE: Apple have released a patch, unsurprisingly, and apologised, surprisingly.