Do you remember security issue on Macs with root access? It was a big security issue, which allows attackers to get root access on your Apple computer. It was fixed fastly, but another security flaw appeared. It’s not as dangerous as root access, but it’s shame that biggest private technology company makes mistakes like this one. This issue affects macOS High Sierra and macOS Sierra after version 10.12.6 (not included).
First, let’s reproduce this issue. If you are running macOS (High) Sierra in affected version, you can try it by yourself:
- open System Preferences from Apple menu in top left corner
- click on App Store section
- click on the padlock icon to lock it if necessary
- now click on padlock again
- then enter your username and any (!) password
- and finally click on Unlock
It’s true that you need to be logged on administrator-level account. On regular accounts this “feature” simply does not work. If you try to unlock other settings by this way, it won’t work too, even on administrator-level account, so other settings are unaffected. I’m not sure why it only works in that one cause, but it’s still shame for Apple. If someone has physical administrator-level access to your Mac, he can disable settings related to automatically installing macOS software, security, and app updates.
This bug is fixed in upcoming version of macOS High Sierra 10.13.3, which is still in beta testing.
Apple has officially apologized for this issue:
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
By default, App Store preferences are unlocked in administrator-level accounts.
I hope that Apple will after these security issues take more care of security of their own operating system on their own hardware. This applies on iOS (and tvOS and watchOS) too.