As someone who had been a Mac user for ~15 years, this is yet another example of news coming from Apple's general direction that makes me feel like Apple has stopped giving much attention to macOS.
Yes. They still work on it. But it feels like it gets table scraps, compared to the attention given iOS, and iOS devices.
It's the thought that runs through my head on learning that this issue had been on a public forum and nothing public from Apple in response.
I ended up switching to Windows 10 for a daily driver. It's been a painful move, the workflow (so far) isn't nearly as smooth.
I'm sad. I used to dismiss others who would opine and say Apple feels like it's on a quality decline. Unfortunately, I'm starting to agree with them.
Success may not the best teacher, it seems.
This is the iOS on which it was impossible to type the letter "i." iOS may get more attention, but both operating systems seem to have lost the plot on software quality.
"Can someone here explain to me what is the login dialog supposed to do? ... Ok. Then why the doesn't it do that???"
The lack of care begins with the little things then entropy takes over.
Windows 10 actually has this, and it works really well.
"i don't need an anti-virus i have a mac" was something i used to hear... its always just been security by obscurity as far as i have seen.
hopefully this will have the opposite effect to what you describe and they might start to take it seriously after being so lucky for years and years...
> feel like Apple has stopped giving much attention to macOS
despite it being
> a painful move, the workflow (so far) isn't nearly as smooth
I'm curious why you use your choice of OS/hardware to cast a tiny vote on the behavior of a vast corporation, instead of simply choosing the OS/hardware that you prefer. For me, the choice of laptop is too important for me to choose a worse laptop for those reasons.
One huge thing is that stuff you create gets set to 777. In the Windows environment, this is expected. But outside of /mnt/c I would figure that standard Linux perms would be honored. Nope. This has been very inconsistent.
That leads me to conclude that my options are either to figure out all the workarounds to do stuff from Windows natively, or keep a Linux VM handy.
I used to be jealous of people that ran Macs or Windows because they did seem to "just work" better than a Linux machine, though had inferior packaging systems and security features.
These days, my Dell laptop running Ubuntu 16.04 seems to have less problems with audio/video in conference calls than the Macs my coworkers use, and there are vendors like Dell or System76 that'll sell you a pre-configured system if you don't want to fiddle with things.
This won't work for a host of reasons.
If it was an option, it'd be my first choice.
A lot seem to think there's only one way to responsibly disclose vulnerabilities (e.g. https://news.ycombinator.com/item?id=15800676), but that's really not the case at all if end-user security is the priority. It's very likely that quite a few already used this maliciously as well, and the more responsible thing to do in that case probably was to announce it (along with a temporary mitigation) to as many people as possible.
Btw credit to https://twitter.com/fristle/status/935670476214378496 for finding this!
(Note: Coordinated Disclosure is the newer term for what had been called Responsible Disclosure)
I've updated my comment to include a link to the source for context.
The blame goes to Apple, no one else.
Stop shooting messagers. What kind of society do we live in where people disclosing wrong doings and crimes are the ones going to jail while the others get away with it.
The macOS vulnerability was apparently a known thing, POSTED VISIBLY on Apple's own forums, and it reads as if the user got this "helpful tip" from somewhere else.
This is pretty nuts.
High Sierra went gold on September 25. Beta 1 came out in June, I think.
(The title was changed and now the context is confusing.)
"Solution 2 worked for me. No idea how or why. Hope this helps."
User seems to have known about it at least 2 weeks ago. Wonder if they realized that it's a glaring security issue. It's hard to tell from the comment if this something they found themselves or saw or heard about it from someone else.
It would be interesting to search other forums, maybe in different languages to see how long has this been known.
"macos 10.13 bug isn't limited to root in all circumstances; via ARD, you can log in as any existing user (e.g. _applepay) and share the screen of the logged-in user. also _uucp is allowed to log in"
So even the current workaround of changing/creating the root password is not enough.
Ctrl+F: "Note: This solution might be specific to High Sierra"
But that's probably not what's going on, so I'm at a loss. And really disappointed.
Apple, get your act together. We miss you.
(If you're reading this and you work for Apple, it's been a problem for several years, and it'd be truly swell if it showed a login page instead of an error page.)
Known issues at work includes a lot of programs no longer working, cannot longer change password on the domain so when it expires you are screwed, etc. And things like this happens all the time.
This one in particular doesn't strike me as something that the testers should've caught. It's something that the development process shouldn't have allowed to happen, in the first place.
Especially if QA does exploratory testing instead of defined test cases (which should be automated away anyway).
There is /no excuse/ for this unbelievable security hole. Total fail on Apple's part.
OS X has never been secure in my experience other than through obscurity and lack of physical presence. it is the only OS that i have always been able to steal root from by googling how...
hopefully this will encourage people to take this a bit more seriously, and maybe apple to raise the bar to where linux or windows have it, where i can't 'just' google something dumb and break in with physical access and have to make a more serious effort.
It suggests using "root" with empty password, and hitting Enter twice. So some people knew about it all along? This is really weird.
Isn't this also newsworthy though? The vulnerability wasn't just discovered and posted to Twitter this morning, but rather mentioned nonchalantly on Apple's own Developer Forums back on November 13!
One indication of dupiness is whether the comments are different across the two threads. In the present case we've got comments about software quality at Apple, responsible disclosure, and so on, that are very much the same as the comments in the other thread. So it's really the original discussion spilling over.
For cases like this the best thing is to keep the auxiliary story as a link from the main thread. People will find it that way.
It points to the original, as far as we know, disclosure of the problem and a relevant discussion.
I am still on Sierra so I want to make sure Sierra does not contain this horrific backdoor.
Can anybody confirm?
It's important because it shows that people have known about the root vulnerability currently discussed on twitter at least 2 weeks ago and were discussing it on Apple's support forum.
EDIT: Original title was "Apple security vulnerability posted on developer forums as troubleshooting tip"
apple is the old Microsoft (everyone uses and aren't even aware of alternatives. standard office equipment. acquires everyone and takes a decade to market what they bought. embrace extend extinguish.)
Microsoft is the the old IBM (very big corporations)
Google is the old apple. (some niche stuff, extremely greedy and evil and hellbent into lock-in tactics, but with tons of fanboys)
Apple's most popular devices, phones and tablets, are dwarfed by Android. Their laptops and desktops might have a 5% market share.
Even among the much smaller developer community the majority of development doesn't occur on Mac.
You’re making the classic mistake regarding Apple: marketshare. It’s mostly a vanity metric to avoid looking at other, more relevant issues.
In 2016, the iPhone captured 79 percent of global smartphone profits—$44.9 of $53.7 billion.
And that’s with only 14.5 percent of the global marketshare, although they do have 35 percent of the U.S. market
Since 2007, Apple has sold over 1.2 billion iPhones singlehandedly; it has to be the single best selling electronic device ever.
Once you get past Samsung, there’s a bunch of companies selling Android phones who are around breakeven at best.
Their laptops and desktops might have a 5% market share. Even among the much smaller developer community the majority of development doesn't occur on Mac.
According to statcounter, the Mac’s U.S. marketshare is 11%.
If you were to track the market for desktops and laptops that aren’t encased in plastic, don’t ship with crapware and malware, the Mac’ marketshare is much higher. ;-)
Anecdotally, I can tell you as someone who’s fairly active in the tech scene in the Cambridge/Boston area, Macs are everywhere, especially at startups: foosball table, craft beer, MacBook Pros.
Back in the day, MIT’s Sloan School of Business did not support Macs. (I worked at MIT for 14 years until 2007). Back then, they had deals with Dell and for ThinkPads. Fast forward to the present day: the most common MBA these days at Sloan is the MacBook Air.
Even after all of these years, the Mac just had its best quarter ever—a little over $25 billion in revenue.
And apparently the Apple Watch is the best selling watch of any kind—in the world.
Meanwhile, every company that was supposed to be the Apple killer—Nokia, Motorola, Dell, Microsoft, Blackberry (née RIM), etc. are either gone or are just shadows of their former selves. Remember when Steve Balmer laughed when asked about the iPhone in 2007?
During the quarter we sold 46.7 million iPhones, up 3 percent over last year. We were very pleased to see double digit iPhone growth in many emerging markets, including mainland China, the Middle East, Central and Eastern Europe, India, and Mexico.
They report stuff like this every quarter.