How To: Protect Yourself from macOS High Sierra's Glaring Empty-Password Security Flaw

How To: Protect Yourself from macOS High Sierra's Glaring Empty-Password Security Flaw
There's a new macOS vulnerability that hackers within physical reach of your computer can use to gain root access to your system and accounts. Just by using "root" as the username and a blank password on a privilege escalation prompt, someone can install malware on your computer, access hidden files, reset your passwords, and more. Root access gives them the ability to do anything they want.Right now, this only appears to affect Mac users running macOS High Sierra 10.13.1.

How to See if Your System in VulnerableTo test if your system could be hacked, go to the "Users & Groups" section in "System Preferences," and click on the lock icon at the bottom of the pane to make changes. Remove your username and replace it with "root" instead. Next, click inside the password box, then hit the "Unlock" button.You may have to hit "Unlock" a few times to get it to unlock, but it will eventually work unless you manually set a root password on your Mac, which you likely didn't. This is just one example, but any security prompt asking for a username and password can be bypassed in this way, including on the login screen.

How to Protect Yourself from This Local HackTo protect yourself from this huge security flaw (CVE-2017-13872), install the Security Update 2017-001 from Apple immediately, which was issued on Wednesday, Nov. 29. Just open up the Mac App Store app, go to the "Updates" tab, then hit "Update" next to the security update. Apple states that "a logic error existed in the validation of credentials" in their description of the update's content.If you need root user access yourself, you'll have to re-enable and select a new password from the Directory Utility in System Preferences. Previously, before Apple released the patch, the only way to protect yourself (besides enabling the root user manually) was to make sure you were logged in as administrator and open up the Terminal app, which could be found in the "Utilities" folder in "Applications" or through a Spotlight search for it. Once there, you would do the following.Type sudo passwd -u root and hit enter. Enter your current admin password and hit enter. Enter a new password for root and hit enter. Re-enter the root password to confirm and hit enter. After using the trick above, if you try to use the "root" and blank password to gain root access on a privilege escalation prompt, it won't work, and you'll need to enter your new root password in. After updating with Apple's patch, it won't work either, but you also won't have a root password. If you used the Terminal trick or created a root password manually, make sure to remember your new root password or keep it in a password manager you can access from other devices. If you should lose it, it will be a difficult process to reset it should you need to.Follow Gadget Hacks on Facebook, Twitter, Google+, YouTube, and Instagram Follow WonderHowTo on Facebook, Twitter, Pinterest, and Google+
Cover photo, screenshots, and GIFs by Justin Meyers/Gadget Hacks


Samsung's Amazing Music-Making Tool Soundcamp Is Coming to

How to play snake on youtube - updated - YouTube


If you type 'smartwatch' into the search box on Amazon, amongst the Moto 360s and Sony SmartWatch 3s you'll see a load of results for cheap, budget smartwatches from manufacturers you've probably


Racing games are always better when you have a steering wheel instead of just a handheld controller. And those old-school arcade racing cockpits? Even better. Matthew Boyer decided to bring the feel of a racetrack into his living room with this insanely awesome DIY arcade racing cockpit.
DIY Arcade Coffee Table : DIY - reddit


Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here's How to Patch OS X. First, the "legal" stuff. If you decided to follow these steps, and something breaks - ITPro-Blog.com can in no way be held liable.
Shellshock Bash Exploit: Patch OS X - A Geek to Go, LLC

Make Buying Stuff Easier on Instagram with the New Checkout


If browsing speed is important to you—and it should be—you'll probably be interested to know that there are ten simple flag modifications you can make in Google Chrome in order to achieve the fastest browsing speed possible.
11 Ways to Speed Up Google Chrome - Hongkiat


Whether it be photos, videos, or documents, some things are best left private. Not everyone is a saint, after all. On a Samsung Galaxy S6, you can lock down specific apps using your fingerprint scanner and a third-party app, but there's a built-in way to hide specific content on the Galaxy S6 called Private mode.
Use Private Mode on the Galaxy S6 to Secure Pictures, Videos

The Safest Way to Disable ALL Bloatware on Your Galaxy S10


Using Domain name instead of localhost in with https in xampp. Map your custom domain name to localhost in HOSTS file. Set up virtual hosts on Apache (XAMPP
How to Change localhost to a Domain Name in XAMPP (Windows


Android's quick responses let you send a text message to a caller when you can't answer the phone. Customize them quickly and easily. How to change text message quick responses on Android Lollipop


Stop Microsoft spying on you — make your Windows 10 as private as possible If you really want to make your Windows 10 private — the best way is, do a clean install of Windows 10 and then customize from its start.
How to Stop Windows 10 From Spying on You


I manage a small network, and use Meraki devices to run it. Those of us who resolve

Sending a self-destructing email message is a cinch in ProtonMail for Android or iPhone, and you're not just limited to sending them to other ProtonMail users. Any email address, no matter the service, can be sent an expiring email — it just has to use end-to-end encryption .
ProtonMail Is the Easiest Way to Send and Receive Encrypted

0 comments:

Post a Comment