We should ALWAYS take into account security issues in SW Development, even if there are no explicit requirements on that. Do you agree?
What do you think the developers of these features (and the rest of the team, of course) heard after Apple felt obliged to do this public (shaming) announcement?
Quoting:
"The vulnerability allows users of macOS 10.13 to gain admin rights, or log in as root, simply by clicking a login box several times. Apple issued a fix within 24 hours, and both the US and German governments issued alerts advising Mac users to patch up.
"The vulnerability allows users of macOS 10.13 to gain admin rights, or log in as root, simply by clicking a login box several times. Apple issued a fix within 24 hours, and both the US and German governments issued alerts advising Mac users to patch up.
But besides patching up, Apple is now looking to review how it does code.
“We greatly regret this error and we apologize to all Mac users,” Apple said in a statement. “Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of Mac OS,” Apple said in its statement.
To exploit the vulnerability, users simply needed to bring up the authentication dialog box, which is often done if needing to configure privacy or network settings. Once the dialog box appears, type in 'root' as a username. Leave the password blank, press Enter, then click 'unlock' a couple of times and voila – access granted.
Fortunately, the workaround to the flaw appears simple – all users need to do is configure a root password and the flaw will no longer work."
