Yet another serious security flaw has been discovered in macOS High Sierra.
The bug, which remains present in Apple’s most recent public release, allows anyone to change the App Store settings in System Preferences by entering anything as your password.
It’s hard to ignore the decline in Apple software quality. It seems that with every update — for iOS or macOS — new bugs get introduced. Some are serious security flaws, like the one that allowed anyone to gain administrator access to your Mac by entering “root” as the password.
Another security flaw is uncovered
The latest also falls into this category. Highlighted in a bug report on Open Radar, the flaw allows anyone to change App Store settings within System Preferences. Entering anything in the password, which normally requires your login password, field grants access to the menu.
Once inside this menu, the user can do trivial things like enable or disable automatic updates — including macOS updates — and more serious things like changing the length of time before your password is required between App Store purchases.
The user must be logged into an administrator account, however, so this won’t work in guest accounts. It’s also worth mentioning that other System Preferences menus cannot be unlocked with the same trick.
Apple may have a fix at the ready
According to MacRumors, which was first to notice the bug report, the flaw is present in Apple’s latest 10.13.2 release — but not in Sierra versions of macOS. The issue cannot be reproduced in the latest 10.13.3 betas, so it seems Apple may already have a fix at the ready.
If Apple is already aware of the issue, it surely will have been hoping it could fix it before anyone noticed the problem.
At this point, you might be thinking, “App Store preferences are unlocked by default in administrator accounts.” But as MacRumors adds, “being able to bypass a Mac’s password prompt with any password is obviously unacceptable.”
What’s the point in having the prompt at all?
I’ve already written, at length, about how Apple must do something to eliminate frequent bugs like this one, and warned the company could damage its reputation eventually. As an increasing number of bugs get uncovered in new releases, the potential for that increases.
Update: A source familiar with the matter insists this bug does not create any exposure for High Sierra users. The App Store preference menu is unlocked by default on admin accounts.
However, if an administrator locks the App Store preference menu, someone else using their account can unlock it again without entering the correct password. Again, this does not work if you are logged in as a normal or guest user without administrator privileges.
This behavior does not allow access to any sensitive user information on the Mac. User and other system preferences cannot be changed without the users’ admin password. We’re told Apple’s next High Sierra update, version 10.13.3, will eliminate the issue.
Apple has since issued an official statement on the bug, which reads:
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.