On Tuesday, Sophos, a web site that specializes in OS security issues, summarized a new security flaw in OS X Lion that isn’t present in Snow Leopard. A logged in user can change other user passwords without knowledge of the original password.
According to Chester Wisniewski at Sophos, “The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner. An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required.”
The flaw was discovered and reported over the weekend by “Defense in Depth,” an information security blog.
What must be kept in mind is that the flaw must be exploited by someone logged onto the machine in the first place. Because it’s not typical for home users to have outsiders logged onto their Macs via, say, SSH, the threat, as it first seems, may not be critical. However, enterprise users will find this much more alarming, especially since the problem isn’t present in Snow Leopard.
In any case, we’ll keep an eye on this one and report when the problem is fixed by Apple.