Lion Security Flaw Takes Backward Step from Snow Leopard

| News

On Tuesday, Sophos, a web site that specializes in OS security issues, summarized a new security flaw in OS X Lion that isn’t present in Snow Leopard. A logged in user can change other user passwords without knowledge of the original password.

According to Chester Wisniewski at Sophos, “The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner. An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required.”

The flaw was discovered and reported over the weekend by “Defense in Depth,” an information security blog.

What must be kept in mind is that the flaw must be exploited by someone logged onto the machine in the first place. Because it’s not typical for home users to have outsiders logged onto their Macs via, say, SSH, the threat, as it first seems, may not be critical. However, enterprise users will find this much more alarming, especially since the problem isn’t present in Snow Leopard.

In any case, we’ll keep an eye on this one and report when the problem is fixed by Apple.

Comments

ilikeimac

Does this mean, for example, that a trojan program running in in an “standard” (unprivileged) account, could change the password of an Administrator account and thereby gain Administrator privileges? That seems a more relevant threat, though most Mac owners use an Administrator account all the time anyway.

Lee Dronick

I am seeing conflicting opinions/statements on this vulnerability. Some say that it isn’t really a big deal and that you can’t change other user’s passwords, while writers and commenters are very concerned. Hopefully the security researcher who found the vulnerability had informed Apple well before spilling the beans and that a Lion update will soon be issued.

Bill Wallace

I’m not seeing this behaviour on my 10.7 install.

ilikeimac

I?m not seeing this behaviour on my 10.7 install.

Which method(s) of changing the password did you try? The source article seemed to say that the following terminal command, where TestYUser is your user name, would let you change the password without entering the old one:

dscl localhost -passwd /Search/Users/TestUser
New Password
vpndev

I don’t see this either. My system has a user “admin” and this is what I see

$ dscl localhost -passwd /Search/Users/admin
New Password:
Permission denied. Please enter user’s old password:

I admit it’s a weird interface that asks first for the new password. Quite weird.

vpndev

p.s. you CAN change the password for the CURRENT user without the existing password, which is indeed a Bad Thing. Seriously Bad.

But not for *other* users it would seem.

geoduck

Normally when a new version of OS-X comes out I’m right there. I upgrade within the first few days or week at the most. When Lion came out though, I just had a funny feeling about it. There are a few nice things in Lion but I’ve not seen anything in it that I really need to have and there are definite bugs that I don’t want to worry about

When it came out I said I was going to wait for a couple of updates, and so far I’ve not seen anything to change that opinion.. 10.7.1 is out now. I guess I’ll wait for 10.7.2, or maybe 3. I might wait until I get a new Mac. Until I get a better feeling about Lion I’m sticking with Snow Leopard.

Masa Faka

“A logged in user can change the currently logged in user?s password”

A logged in user can delete the currently logged in user’s data without a password. DUH. If he’s logged in he clearly needs to know the password to have logged in.

And anyone having access to your box while you’re logged in can wreak major havoc on your machine. Move on this is not news. Just journalist grasping for straws on a slow day.

vpndev

Masa - it’s true that a walk-up to your system can delete your data. But until now, a walk-up could not change your password, as he/she needed to know the old one to accomplish that task.

That is what has changed, and that is Seriously Bad.

If you think this is a journalist-on-a-slow-day story then you have a lot of learning ahead of you. Hang on—the ride will be rough.

rwahrens

vpndev;

If you allow someone access to your Mac on a walkup basis that is likely to change your password, then you’ve got more serious problems than a simple password bug!

Only you have the ability to control access to your Mac, physically.  If you doubt the honesty of anyone that may have that access, you simply lock the screen when you walk away from it.

This flaw IS a security problem, but I would rate the seriousness of it as low, given the ease of just changing your access procedures to prevent it from being a problem.

As noted, enterprise users may be more concerned, IF there is access allowed via SSH or VPN, so depending on a particular Mac’s circumstances, there could well be a more serious issue, however.

Log-in to comment