A two-year old security issue in Mac OS X has reared its ugly head once again in Mac OS X 10.7 Lion, allowing users of a computer to easily modify the passwords of other users.
Mac OS X stores encrypted passwords in what are called "shadow files." These files are placed in secure locations on the drive, which are intended to be only alterable by the user himself or the administrator, provided they authenticate themselves.
Security blog Defence in Depth, who originally found the issue in 2009 in Mac OS X 10.4, 10.5, and 10.6, wrote this week that the issue still remains in Lion.
However there is a crucial difference which makes the issue worse.
Whereas in the previous version of the flaw administrative privileges were required to make the hack work, with Lion that is unnecessary. Instead, the user only needs to look in Directory Services for the hash file (that is, the file needed to decode the encryption) which is accessible by any user.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," Defence in Depth's Patrick Dunstan wrote. He did note that non-adminstrative users would still not be able to access the hash file directory, but the fact the hash data is stored in Directory Services makes the point moot.
What saves this from being a major issue is that it is only executable locally. This means a remote attacker would not be able to exploit the vulnerability. Still, it raises serious security concerns for those Macs used as shared machines.
Apple was not immediately available for comment on the issue. There are steps that can be taken in the meantime to protect Macs running Lion while Apple addresses the issue.
First, all guest accounts should be disabled. This will prevent the easiest route to hack the computer. Additionally automatic login should be disabled, thus requiring an administrative password at startup.
Users should also set a password for the screensaver and sleep states, thus preventing anyone from accessing the computer while the user is away.
Photo: Yellowj/Shutterstock