How to protect your Mac from the ‘App Store password’ bug

Shortly after the discovery of the “root” bug plaguing Macs worldwide, Apple is faced with another embarrassing flaw in the newest version of its macOS. And it’s yet another password-centric vulnerability.

A recent post on Open Radar reveals that the App Store preferences pane in System Preferences can be unlocked by a local admin with a bogus password – or, as our own tests revealed, no password whatsoever.

The steps to reproduce the bug are:

1) Log in as a local admin

2) Open the App Store preferences pane from the System Preferences

3) Lock the padlock if it is already unlocked

4) Click the lock to unlock it

5) Enter any bogus password (or leave the password field blank)

6) Hit Return / Enter

If these steps reproduce the bug on your Mac, you are affected.

The flaw is not terribly dangerous, but it’s not harmless either. Anyone with physical access to the machine can alter the settings to control how that Mac downloads and handles third-party software. A bad actor could use this bug to deploy malware onto the unsuspecting victim’s computer.

Mac users running macOS High Sierra 10.13.3 beta are reportedly unable to reproduce the bug, indicating that either Apple is aware of the flaw, or something new in the beta inadvertently “breaks” the bug. So, what can you do until Apple releases the fix? Not much except tighten the existing security settings on your Mac.

You can leverage the “hot corners” feature to quickly enable a screensaver whenever you get up from your desk. Go to System Preferences -> Desktop & Screen Saver and look for the Hot Corners button in the bottom right-hand corner of the window.

Then, you should set your Mac to ask for a password immediately after the screensaver kicks in. To do this, visit the Security & Privacy module under System Preferences.

Finally, look out for Apple’s 10.13.3 update and install it the moment it becomes available.



This is a Security Bloggers Network syndicated blog post authored by Filip Truta. Read the original post at: HOTforSecurity