What’s worse than having a dead-simple password that anyone can guess? No password. To go with it, let’s add a username that anyone can enter. That’s exactly what happened to Apple this week: Anyone could log in to your Mac with the username “root” and a blank password.

Oh, and as long as you were on the same network, you could even break into Macs remotely — physical access was not required. Surely this was only for Macs that were running some ancient version of OS X, right? Nope, the vulnerability affected the latest version of macOS: High Sierra (10.13.1).

Can you imagine if Windows 10 had such a vulnerability?

To Apple’s credit, the vulnerability went viral on Tuesday, and was fixed on Wednesday:

Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872

This fix broke file sharing for some users, but never mind that. This is not the type of fix you spend weeks testing.

Speaking of testing, it’s astounding that such a flaw made it through to production machines in the first place. This is the type of mistake you expect a…

Continue ….

[SOURCE]