Security flaw like root

[scottvd]

Everyone is buzzing about the root security flaw, tell me how this is different:

1. Reboot single user mode
2. mount -uw /
3. rm /var/db/.AppleSetupDone
4. shutdown -h now
5. Create new admin account

Like, what am I missing here? Why is this so easy to do? With a new admin account you could install a hidden keylogger/screen capture service and then reboot the machine back into single user mode, delete the new admin account you created and the owner would have no indicators anything had changed. In less than 15 min I could install a keylogger with zero traces? Ouch. How is that even kind of secure? Or am I missing some obvious prevention tip to this?

*EDIT* Yeah, as I'm researching this, setting up a firmware password would prevent this from being so casually easy, so that's the prevention tip right there. I wish the firmware password was encouraged more. I bet most of the people buzzing about the root bug don't have a firmware password or are aware how easy this is to accomplish the same thing.

 

[jeremysteele]

That would require any of these:

1. A user to willingly boot it into single user and run commands all willy-nilly.
2. An admin to install a malicious tool to set the boot flag to force boot in single user, in the boot.plist file (and at that point, with admin privs, why bother with single user?), and somehow run commands remotely in single user (which would be incredibly difficult given the limited drivers that single user loads...)
   
3. Physical access by a malicious user (which breaks most security on every system out there...)

Filevault would break this entire idea, since it requires a password to unlock the drive prior to single user. I would reckon most OS X users have that enabled by now.

Also as you mentioned, firmware passwords would break it, for the same reason.

There is literally no comparison between what you listed and the root flaw that was recently discovered & patched.