This week’s macOS High Sierra root access bug (a.k.a. #iamroot) may have been patched after less than 24 hours, but the debates and lessons will last longer.
If you missed the story, the bug allowed an attacker with access to a Mac running High Sierra to log in as a root user just by typing “root” in the user field, leaving the password field blank, and hitting enter a couple times. It worked both on the lock screen and in system dialogue boxes, and it could be done remotely if screen sharing was enabled. Prior to the patch being released, it could be remediated by enabling the root user and setting a password. (More here, here, here, and here.)
One thing that a friend pointed out is that a traditional Mac management agent could have been used to mitigate the bug (by enabling and protecting the root user as described), while pure MDM management could not. I wasn't sure how we’d cover this story, but in light of this point, there are a few takeaways regarding MDM, modern management, and mobile threat defense that are worth mentioning:
On one hand, zero-days will happen, and there’s no telling whether traditional management or modern management will be the best tool for remediation. And again, this one got patched after less than 24 hours, and most MDM-managed Macs were probably just fine.
On the other hand, this is food for thought as we transition desktops—both Windows 10 and macOS—to modern management. Until the time when desktop OSes are locked down to the degree of mobile OSes (and iOS in particular), management tools that combine the best of traditional and modern approaches are certainly a prudent choice. This is what we’re seeing in many of the latest “bridge” management tools for Windows and macOS.
However, for as locked down as mobile OSes are, there’s still an expanding market of third-party mobile threat defense agents, as I’ve covered several times this year. Some of them try to deduce what’s going on under the hood of mobile devices, if you will, even though the OSes (iOS especially) make this difficult.
I’m not an expert on desktop antivirus, so I’ll leave it at that for now, but I am curious about two things: Have you considered mobile threat defense? And how did you remediate for the macOS root access bug?