macOS High Sierra App Store settings menu not effectively secured by user password

The macOS High Sierra 10.13.2 App Store settings can be unlocked with any password entered by an administrator account — but Apple appears to have already implemented a fix in the beta releases currently in testing.

Filed on Open Radar on Jan. 8, and first spotted by MacRumors, the vulnerability allows any user with physical access to a machine logged into an account with administrator level access or greater to alter App Store settings at will, without having to enter a legitimate password. Assailants can alter password requirement settings, or disable the computer's automatic installation of macOS patches.

As vulnerabilities go, this is a dramatic mis-step in quality assurance and testing, but not one with dramatic security effects to the user. The previous bug that could create and grant access to a Root account had more profound security implications.

AppleInsider reproduced this issue on High Sierra 10.13.1 and 10.13.2. However, the vulnerability appears to have been patched on High Sierra 10.13.3 beta 4, and appears to have not existed on High Sierra 10.13 prior to updates. We could not reproduce it on Sierra, El Capitan, Mavericks, or Lion.

Users can minimize risk by keeping their Mac physically secure, and logging out when leaving the presence of the machine. Further security can be provided by preventing remote access to the machine by untrusted parties.

18 Comments

smiffy31 12 Years · 202 comments

About 6 years ago

1. What/who is the greater level of access than administrator ?

2. The simple solution is not to us an account that has administrator privileges.

lkrupp 19 Years · 10521 comments

Physical access and logged in as an administrator? Really? I’m terrified B)

command_f 14 Years · 428 comments

smiffy31 said:

1. What/who is the greater level of access than administrator ?

2. The simple solution is not to us an account that has administrator privileges.

Agreed. The user accounts on our Macs do not have admin privilege, there's an admin account for the times that a lot of, err, administration, is required.

That said, last time I talked to Apple support (about a year ago I guess), they told me that Apple did not recommend user accounts without admin privilege and urged me to change it. I was surprised by this (no rationale was offered) and I think this incident demonstrates that every simple step to reduce vulnerability is worth taking. Hopefully Apple will revise its guidance, I am currently ignoring it.

asdasd 21 Years · 5682 comments

smiffy31 said:

1. What/who is the greater level of access than administrator ?

2. The simple solution is not to us an account that has administrator privileges.

1) well it said admin or greater.

2) In general most users install as the admin user, or it is installed by default. So this bug does mean that someone with physical access ~~can lock you~~ out. Its just strange that it wasnt tested.

EDIT:

They can't lock you out as it isnt a widespread system preferences issue.