I have been saying for a long time that the Mac world is vulnerable to various malware exploits. It simply escaped because of the small market share. Now that they have increased Mac sales, it has become “profitable” for the bad guys to target the Macs and Apple products. Two security failures in recent weeks just demonstrate the tip of the iceburg. The ones found so far are the easy ones. There is no special magic Mac protection except obscurity. Now the obscurity is gone.

 

Mac OS X Lion Password Flaw Lets Hackers Make Changes With Ease

The Huffington Post     First Posted: 9/20/11 09:31 AM ET Updated: 9/20/11 03:03 PM ET

If you were one of the millions to download Mac OS X Lion, your system password might not be as safe as it should be.

According to the information security blog Defence in Depth, a major oversight in Lion allows any user on your machine (not just the administrator) to easily access and change your password. In Lion (and on all Mac OS’s) passwords are kept encrypted in “shadow files,” which are located in folders that should only be accessible by the administrator. Because of a security flaw in Lion, however, these files can be accessed by any user on the machine. The user can then extract the encoded password, run it through a fairly easy-to-find hacking program and decode the password, all according to Defence in Depth.

Perhaps even more dangerous is the discovery that any user can change the system administrator’s password without any programs at all. The user (again, not the administrator, just any user who is physically using the machine) can enter a simple command into the Terminal app, which allows that user to successfully change the administrator’s password. For a full explanation of how this works and the actual command line prompt, visit CNet’s coverage of the security flaw; for a technical proof of the flaw, visit Defence in Depth.

CNet has offered 4 steps that the system administrator should take to avoid having their password stolen or changed by a visiting user. These are very important for those of you who share your computer with co-workers, strangers or anyone you have reason not to trust for any reason (I won’t ask…). In short, you should require a password whenever you start up your machine or come back from screensaver or sleep mode, disable guest account access on your machine and head over to Parental Controls to set up account management, thereby disallowing administrator status for non-administrator users who are on your machine. Just, always require a password to gain access to your system, especially as the administrator.

Though the most high profile, this is not the first Lion password security flap: In late August it was revealed that systems using LDAP authentication (popular in the Enterprise) had a flaw which allowed any user on the machine to attain administrator status using any password at all.

This flaw shouldn’t last long, however. A major security weakness found in Apple’s mobile software in July was patched within nine days. Hopefully Apple will roll out a software update for Lion to patch this new bug, too.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: