Root Access Vulnerability in macOS High Sierra

As reported by Juli Clover for MacRumors and numerous other sites:

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

We verified that on macOS High Sierra 10.13.1, “root” user is enabled by default with blank password. For comparison, OS X El Capitan has “root” user disabled by default.

UPDATE:
We verified that previous versions of macOS/OS X/Mac OS X have “root” user disabled by default.

This is similar to the enabled-by-default-with-blank-password “administrator” accounts in Windows XP.

By having “root” user disabled by default, potentially a remote attacker can compromise Macs running macOS High Sierra.

Having said all that, anyone with physical access and the right knowledge can reset local user password.

WordPress 4.9 “Tipton”

From WordPress.org:

Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.

I first thought: “Tipton, Glenn Tipton.”
By the way, when are they going to get to “Van Halen”?
If only I were the one in charge of naming WordPress…

Time to get your WordPress updated, again.

WPA2 Wi-Fi Vulnerability

This just in.

From BleepingComputer:

Mathy Vanhoef, a researcher from the University of Leuven (KU Leuven), has discovered a severe flaw in the Wi-Fi Protected Access II (WPA2) protocol that secures all modern protected Wi-Fi networks.

The flaw affects the WPA2 protocol itself and is not specific to any software or hardware product.

Vanhoef has named his attack KRACK, which stands for Key Reinstallation Attack.

Yikes!

Also from BleepingComputer:

List of Firmware & Driver Updates for KRACK WPA2 Vulnerability