What a month! November brought to light a huge security vulnerability affecting macOS High Sierra, plus Mac malware that masquerades as anti-virus software, and specially crafted masks can fool Face ID (despite Apple's claims). Read on for the details!
A bug was introduced in macOS High Sierra 10.13, and remained in 10.13.1, that allowed an attacker to invoke a system authentication dialog box, type "root" (the name of a powerful UNIX administrator account that's disabled by default in macOS), and either enter no password or a password of their choosing, and macOS would enable the root account with the attacker's chosen password.
If a system running High Sierra had Screen Sharing enabled, it was even possible to exploit the vulnerability remotely, without having physical access to the Mac.
Thankfully, Apple responded quickly after the bug became widely known. By the next morning, Apple released a patch and pushed it out to all High Sierra users.
There's a lot more to this story! For all the juicy details, don't miss our extensive coverage: “I Am Root”: A Retrospective on a Severe Mac Vulnerability!
Earlier this year, we reported that variants of the Proton malware were discovered on the legitimate download sites of Handbrake and later Elmedia Software. In both cases, the developers' legitimate apps were infected with malware and made available directly from the developers' sites for a period of time without their knowledge.
A blog was discovered that purported to be operated by Symantec, an anti-virus company. On this fake anti-virus blog was a link to download a supposed "Symantec Malware Detector," which in reality is just a Trojan horse designed to install the Proton malware onto victims' Macs.
If a victim were to download an ran the fake virus scanner, they would be prompted to enter their administrator username and password, at which point the malware would secretly infect the system and then display a fake virus scan (much like other fake antivirus software has done in the past).
Intego VirusBarrier (which is legitimate anti-virus software!) identifies the new malware variant as OSX/Proton.D.
For lots more details, check out our article Watch Out! A Fake Antivirus Blog is Distributing Proton Malware, and listen to our new Intego Mac Podcast episode discussing it (have you subscribed yet? 😃).
Two stories surfaced in November claiming that the iPhone X's new Face ID technology had been successfully tricked into unlocking Apple's latest smartphone.
One story from CNET reports that Vietnamese hackers created a specially crafted face mask that allegedly was able to successfully spoof a real person's face to log into an iPhone X. You can watch the mask makers' proof-of-concept video, which has been viewed 1.2 million times.
This is particularly interesting given that when Apple introduced the iPhone X, Apple executive Phil Schiller took the stage and bragged that Apple had tasked Hollywood mask-making experts with trying to fool Face ID, and their efforts were unsuccessful.
Hot on the heels of the original mask story came a report from Wired that a 10-year-old boy was able to successfully and repeatedly unlock his mother's iPhone X.
The idea that a child could gain access to his parent's phone, which may contain private information, seemed to really catch people's interest; the family's 41-second YouTube video has been viewed more than 2.3 million times.
Apple's Schiller admitted during the iPhone X unveiling keynote that there's a higher probability of false matches for people who have "a close genetic relationship" with the user.
This year at least one popular online retailer has been selling and openly promoting ancient iPhones and iPads for which Apple is no longer releasing security updates. Using a device online when its security is years out of date is very unsafe and should be avoided.
Beware of "bargains" that may come with unexpected security risks.
If you have holiday shopping left to do, be sure to check out these articles for tips on how to ensure that the products you're buying are secure and how to shop safely:
There were other notable goings-on in the security world in November. Some highlights:
Be sure to subscribe to The Mac Security Blog to stay informed about Apple security throughout each month.
If you missed Intego's previous Apple security news roundups for 2017, you can check them out here.
Also, be sure to subscribe to our YouTube channel to get monthly updates in video form, and click on YouTube's bell icon (🔔) so you'll get notified when each new episode is available!
"I am root"/Groot cartoon image credit: Johnathon Burns modified by Gaël