運行蘋果最新版High Sierra操作系統的蘋果Mac計算機曝出漏洞，可以讓任何人輸入任意密碼來解鎖并修改應用商店的偏好設置。

蘋果在去年11月末也曝出了漏洞：只需輸入用戶名“root”，并進入Mac電腦系統偏好菜單“用戶與群組”欄目，便可獲得蘋果Mac電腦更高的管理員權限。因此，這一漏洞與其相比可謂是小巫見大巫。在打補丁之后，11月底發現的這個安全漏洞可以讓任何人對電腦進行物理訪問，并查看任何文件或修改和重設其他用戶的任何密碼。

新漏洞由IT系統管理員艾瑞克·霍爾塔曼發現并上傳至漏洞報告網站Open Radar。不管怎么樣，這個漏洞也引起了人們的不安。雖然它的嚴重性遠不及上一個漏洞，但也讓人們開始對蘋果的安全設計產生了質疑，畢竟這是近幾個月來發現的第二個登錄小漏洞。

致力于報道蘋果的博客MacRumors首先公布了霍爾塔曼在上周二發布的貼文。

利用這一漏洞的步驟如下：

1. 打開“系統偏好”。

2. 選擇“應用商店” 。

3. 點擊掛鎖標志來“解鎖”（如果處于“未解鎖”狀態）。

4.? 點擊掛鎖標志解鎖。

5.輸入你的用戶名和任意密碼。

屏幕上將顯示以下提示信息：

Apple Mac computers running the latest version of Apple’s High Sierra operating system have a flaw that lets just about anyone unlock and edit a person’s App Store preferences with any password.

The vulnerability isn’t nearly as bad as one discovered in late November that allowed anyone to obtain higher, administrative privileges on Apple Mac computers merely by entering the username “root” while logging into the “User & Groups” section of a Mac computer’s System Preferences menu. That earlier security hole, since patched, enabled anyone with physical access to a machine to view any files or change and reset any passwords for other users.

The new flaw, uncovered by Eric Holtam, an IT systems administrator, and posted to Open Radar, a bug-reporting website, is troubling nonetheless. The finding, though far, far less serious than the past blunder, raises concerns about Apple’s (AAPL, +0.57%)security design, given that this is the second trivial login bug to come to light in recent months.

MacRumors, a blog devoted to Apple coverage, first spotted Holtam’s post on last?Tuesday.

Here are the steps to follow to exploit the hole:

1.Open “System Preferences”.

2.Select “App Store” .

3.Click the padlock icon to “lock” it (if it is “unlocked”).

4.Click the padlock icon to “unlock” it.

5.Enter your user name and any password.

Here’s what the screen should display:

在解鎖應用商店偏好之后，人們可以更改某些密碼設置，例如在批準應用相關購買時系統要求用戶輸入密碼的頻率。即便如此，攻擊者也無法隨心所欲地去進行修改，因為只有“始終要求輸入”或“15分鐘后要求輸入”這兩個選項。

嚴重警告：任何希望利用這一驗證繞過漏洞的人必須以管理員的身份登錄電腦。當《財富》雜志在2015年Macbook Air筆記本上使用非管理員賬戶測試這一漏洞時，所有的嘗試均以失敗告終。

蘋果似乎在即將到來的mac OS High Sierra升級（10.3.3）的早期版本測試這一漏洞的補丁。這一問題很有可能在未來的軟件升級中得到解決。

蘋果并沒有對評論要求做出立即回應。（財富中文網）

譯者：馮豐

審稿：夏林

?

After unlocking App Store preferences, a person can tweak certain password settings, such as the frequency with which a system asks for a user’s password when approving app-related purchases. Even so, attackers cannot go on prolonged spending sprees: the two options are “Always require” or “Require after 15 minutes.”

One big caveat: anyone looking to take advantage of this authentication sidestep has to be logged in as an administrator. When Fortune tested the approach on a 2015 Macbook Air using a non-administrator account, all attempts failed.

Apple appears to be testing a patch for the bug in an early version of a coming macOS High Sierra upgrade (10.3.3). It’s likely the issue will be resolved in a future software update.

Apple did not immediately reply to a request for comment.