This does not help at all for the drubbing that macOS High Sierra has been getting recently. Long term OS X users have been waiting for a Snow Leopard like release, but it seems like Apple isn’t taking as much care as required on security and stability on the Mac. Something has to give — either Apple’s organizational structure needs a change or Apple needs to abandon certain things completely instead of releasing sub-standard products that aren’t expected from it.
As a long time Mac user, I keep hoping that Apple will decide to double down on better and deeper focus on all its products, including the Mac, its OS and ecosystem, and make the changes necessary across its organization and its teams.
The interesting implication from this is that while it works for the App Store preferences, it doesn't work for the others, showing that there is a manual check that each pane is doing. Why aren't all of these calls identical? If each has to be handled manually, it's no wonder that there are bugs like this appearing.
I have a feeling this isn't actually that High Sierra is that much worse, but more that people are now actively pen-testing macOS to find the next embarrassing bug.
And that scares me even more because of the unknown of how long such bugs must've existed in the system.
Is this Apple's Windows XP moment? (Like when MS stopped everything and did massive security training that resulted in XP SP 2 being worlds more secure?)
If you read the notes:
This only appears to be when logged in as a local admin. Tested with a non-admin account and I cannot unlock the prefpane with incorrect credentials.
So basically they are checking to see if you have credentials already. I guess this is a caching issue since you locked it.
Cmon Apple I know security people are in short supply but:
A) You have the resources B) This is the type of bug that any semi decent QA process should catch anyway
I'm on 10.12.6 and a local admin account, and it only unlocks to my actual password. That might mean it's a recently-introduced bug (assuming someone else can reproduce my result).
sorry if this is a dumb question, but: why is it unreasonable for a local admin to have the power to change AppStore preferences? without knowing much about the osx security model, this sounds like not a big deal?
If an Apple developer is reading this, your team should consider system-wide input testing. It'd be worth the developer time. Who knows how things can break if long, crazy strings are inserted.
What do you get when you tell everyone that “MacOS and desktop computing are as important to our company as ever” when in reality you barely give a crap about it.
This is a fairly minor bug, since, apparently, it’s only happens when already logged in as admin (and it’s “just” App Store prefs). (I get that you can come up with scenarios to exploit this, but come in.)
But, wow, how many bugs is this for High Sierra where a password prompt can be bypassed?
It’s like password prompt flu is going around Apple.
Was there bad sample code distributed or some change in the default behavior of some key API? (In addition to the obviously inadequate testing.) I guess it would make more sense to me if there was something connecting all these issues. (Besides the inadequate testing.)
Can confirm it doesn't work on "Sierra", so it must be high sierra's feature.
Can confirm - with my colleagues laptop - much to his amusement :)
Though it is "queer", it doesn't seem to be that much a security issue, or - more probably - I am failing to understand the risk implied.
Can anyone describe a possible scenario where this would pose a security risk?
I don't know if I'm doing it wrong or maybe the problem has been fixed in the latest beta, but I can't replicate the problem on 10.13.3 Beta (17D34a). I lock the App Store preference pane and can't unlock it with anything except my real password. And yes, I am logged in as an Admin user.
Maybe it's Apple's strategy - let macOS slowly disintegrate and then give iOS to frustrated desktop users as the only right way? Last time I've seen that strategy was when Nokia had a mole as CEO installed, though the outcome wasn't very nice to either Nokia nor MS...
My AppStore preferences do not even have a lock icon on 10.11.6. Must be in newer versions only?
FYI—I’m running the latest public beta of 10.13.3 (17D34a) and couldn’t duplicate this issue.
It's a bug. Bugs happen. It will be fixed. Take a deep breath, or a sedative, and relax.
So is it that they don't have an automated test suite or the coverage is poor?
macOS High Sierra is such a disaster. Did Apple has any quality control over software at this point? No security vending? How could they have customers' trust if they keep making such idiotic mistake?
Kind of a silly title "AppStore Preferences lock is a lie" -- it isn't a "lie" unless Apple intended for it to not lock correctly. But obviously, it's a bug. It isn't like Apple is trying to deceive users.
Interesting bug, unnecessarily hyperbolic title for it.
So basically it's a UI bug, not a serious security vulnerability.
Did apple just fire all their Q&A teams in the past year? So many security and technical problems in their software.