The Escalation-of-Privilege Edition Wednesday, November 29, 2017

Apple Working To Fix “Root” Password Issue, by Jim Dalrymple, The Loop

“We are working on a software update to address this issue,” an Apple spokesperson said in a statement provided to The Loop.

macOS Bug Lets You Log In As Admin With No Password Required, by Dan Goodin, Ars Technica

In one of Apple's biggest security blunders in years, a bug in macOS High Sierra allows untrusted users to gain unfettered administrative control without any password.

The bypass works by putting the word "root" (without the quotes) in the user name field of a login window, moving the cursor into the password field, and then hitting enter button with the password field empty. With that—after a few tries in some cases—the latest version of Apple's operating system logs the user in with root privileges. Ars reporters were able to replicate the behavior multiple times on at three Macs. The flaw isn't present in Yosemite, the previous macOS version.


Of more concern is that malicious hackers can exploit this vulnerability to give their malware unfettered control over the computer and OS. Such escalation-of-privilege exploits have become increasingly valuable over the past decade as a way to defeat modern OS defenses. A key protection found in virtually all OSes is to restrict the privileges given to running software. As a result, even when attackers succeed in executing malicious code, they're unable to get the malware permanently installed or to access sensitive parts of the OS.

macOS High Sierra Security Vulnerability Discovered, Here’s How To Set Root Password For Fix, by Greg Barbosa, 9to5Mac

Users with haven’t disabled guest user account access, or changed their root passwords, are currently open to this attack. We’ve laid out instructions on how to protect yourself in the meantime until an official fix from Apple is released.

Best Camera Photos

Some Notes On iPhone X’s Portrait Mode, by Khoi Vinh,

However, I’m not even contending that any of this is ultimately bad, or should be considered a failure of technology. As I said, portrait mode produces the best camera photos I’ve ever seen, hands down. I would much rather than not have an iPhone X with portrait mode as an option for the many, many times it’s just impractical to carry my DSLR with me.

More to the point, quibbling over the finer points of photographic effects is somewhat (though not entirely) pointless. What really matters here is that there will be tens if not hundreds of millions of these cameras in the hands of countless people everywhere before too long, and those people will take billions of pictures with them. Only a vanishingly small number of these people will ever object to the details I’ve listed here; most will be incredibly pleased with how portrait mode performs and will share the fruits of their labors avidly.

Here’s The Truth Behind The Biggest iPhone Controversies, by David Phelan, Independent

But one of the properties of an OLED display is the way it saves power by leaving pixels off. So, why is there no official ‘dark mode’ on the iPhone X?

Dye has an answer: "Those focused purely on power considerations were attracted by that but first and foremost we focus on user experience. We’ve had a lot of these discussions and the vast majority of the way you use your phone is oftentimes reading text and there’s a reason why black ink on white paper has been around for a long time, it’s just much easier to read, so we made that decision. But battery life, I can tell you, has been pretty amazing."

Federighi agrees. "What you do on the phone in addition to looking at photos and so on is reading text and we find black text over white the most pleasant interface and with the best legibility. Though I understand the coolness thing."

Pixelmator Pro Is Out

Pixelmator Pro Wants To Be The Photoshop Killer On macOS, by Romain Dillet, TechCrunch

Pixelmator Pro has all the tools you’d expect from an image processor, such as a smart selection tool, retouching tools, painting tools, all sorts of color adjustment effects and more.

The app has been developed in Apple’s own programming language Swift 4 and is optimized for your GPU thanks to Metal 2, Core Image and OpenGL. Photo editing is non-destructive, which means that you can open a photo again and revert to the original photo if you’re not happy with your color adjustments — you can also go back and revert individual changes without undoing all your work.

If you want to edit multiple images with the same adjustments and effects, you can now save a preset and apply this preset to multiple images. You can also share presets with others by drag-and-dropping this preset into another app.

Pixelmator Pro First Impressions: A Beautiful Modern Interface With Advanced Image Editing Tools, by John Voorhees, MacStories

I’d argue that adopting Pixelmator Pro is also an easy choice for someone who only needs a subset of Pixelmator Pro’s tools like me. I’ve found that over time, I’ve grown into the original version of Pixelmator, which has made me comfortable using it for new, more complex tasks. Pixelmator Pro will give me the room to continue growing those skills.

Even when I’m just combining and resizing screenshots, there’s an unmistakable advantage to Pixelmator Pro over the original version. The Pro version is simply easier to use. There’s less clutter, I know where my tools are at all times, and it looks better, which for a tool that I will use many times each week, is worth the price.


MindNode 5: Digital Mind Mapping Finally Clicked For Me, by Ryan Christoffel, MacStories

MindNode has long been one of the premier mind mapping apps for Mac and iOS, and its version 5 is a huge update that, for me at least, centers around two main changes: a streamlined, intuitive user interface, and the adoption of drag and drop support. There's a lot more to this update than those two things, with plenty of goodies that die-hard MindNode fans will appreciate, but for users like me – those dissatisfied with digital mind mapping, or even inexperienced at it altogether – the most important changes are those that make the app more approachable, and the new UI and drag and drop certainly do that.

iHeartRadio Adds Support For Podcasts To Its CarPlay Application, by Chance Miller, 9to5Mac

iHeartRadio is expanding its CarPlay application. The company announced today that it is adding support for podcasts to the app, alongside several new features that make the podcast experience as seamless as possible.


Apple Commemorates Computer Science Education Week With New Hour Of Code Sessions, by Mike Wuerthele, AppleInsider

Apple has opened up thousands of new Hour of Code sessions at every Apple Store location between Dec. 4 and Dec 10, with new Swift Playgrounds challenge and teacher resources available to all.

The week-long focus celebrates Computer Science Education Week. Young coders have the option of signing up for a "Kids Hour" with ages 12 and up with a different session focusing on Swift Playgrounds on the iPad.

Apple To Shut Down iTunes Connect From December 23 To 27, by Juli Clover, MacRumors

Each year, Apple shuts down iTunes Connect for a week around the holidays to give its App Store staff time off from work. This year, iTunes Connect will be shut down from December 23 to December 27.

Bottom of the Page

I will be interested to find out more about how this macOS bug came about. After all, user authentication on macOS hasn't really changed between Sierra the High Sierra, did it?


Thanks for reading.