Apple has dropped a couple of monumental password security clangers with the release on OS X Lion, according to security blogger Patrick Dunstan. Dunstan, who posted an important piece on cracking Mac OS X passwords a couple of years ago, decided to revisit the subject with the release of OS X Lion (version 10.7). He discovered …
This is abysmal
Compared to what?
Windows? With its rich history of real world exploits, trojans and self replicating worms. Even though MS may have tightened things up recently it still feels like more malware than apps are written for the platform these days.
With regards to OS X I suspect these so called exploits rarely make it past the testing in lab stage. Don't seem to be many real world examples documented. And although it may have a marginal effect I don't buy the market share argument anymore. There are enough Mac's out there in the hands of some pretty affluent people and organisations to make for a juicy and profitable target very much worth exploiting. Given that to date, no high profile cases have hit the headlines indicates to me that OS X is more secure than most.
I think it is abysmal too.
As a Mac user since before OSX was a twinkle in Jobs eye, typing on a iMac (rolled back to 10.6 from 10.7), I agree, it is bloody terrible that an OS *today* has such a potential security hole. Never mind that Windows XP was a nightmare pre SP2, or that Linux can be hit in the same way if it doesn't have the latest updates, the fact that the worlds most modern OS has a security model from the last decade, which is a giant step back from the previous version is pretty damn abysmal.
And note to all other Mac users - stop with the "ooh it doesn't matter, there are far more windows machines and there are no viruses on the Mac". Get over it, that ship has sailed. We have to suffer along with the rest of them. Go to sophos's website and install their free Mac AV scanner and then move on with your life.
RE: Compared to what?
Stop for a second and then realise just how silly that sounds.
Saying that "security is better than system XX and so thats alright then" is not a sound line of reasoning. It is certainly not a good basis for system design.
It should be a secure as is feasible, not as secure windows is plus a bit..
This smacks of clever people not doing a thorough audit after building in new features.
Not malicious/ thoughtless (as I would classify MS security pre 2005), just a bit careless.
Both bugs appear to be related to the Directory Services code.
Which suggests Apple's OS X development team need to take a closer look at their QA and security auditing procedures. Naughty. Very naughty.
Hopefully the recent hiring of a security chap with some serious experience in the subject will help to reduce these cock-ups, although even a company as small (relatively speaking) as Apple will need time to adapt.
On the other hand... It's not as if any other OS out there can claim to 100% secure either, and it's still a lot easier to hack people than machines. So, don't have nightmares!
Lion: Apple's own Vista?
First the borked versionning "no files but a database" system, then this?
I do not routinely use fruit-branded products, but my officemate (to whom I passed this article as well as the one on undeletable files) is considering a downupgrade*. Now he only has to figure out how!
*yes, I typed this on a porpoise.
It is certainly looking to be a bit of a turd to the point where, were I to buy a new machine I would certainly install snow leopard on it.
not with an Air you can't
The new Airs will only work with Lion.
I really like my new Air, but Lion is turning out to be quite shoddy :(
Apple took, but misunderstood
'Twas a wise move, to take a tried-and-tested system as a base to build their aqua interface on top of, even if they chose to reinvent a couple wheels (netinfo, anyone?) for reasons that seemed good to them. Too bad the current architects apparently have not learned from the ancestral systems' hard-won security lessons. A pity, really. Also an object lesson that you can't just take security for granted, but needs constant vigilance to maintain.
I'm a happy Mac user, but I really wish that Apple, with their many fucking billions in the bank, would employ one or two really good security guys and sort out these simple problems. There's no excuse for this.
We are talking about a company whose one employee whose last start with J can do presentation and convince that their product is the best. However, when is your last time that Microsoft took anyone to court just because they blatantly copied their product? They achieved over 90% of market share w/o taking anyone to court. Whether I like their product is beside the point. Apple has little competition in creating happy customer? Why do they have to take Chinese food distributor just because God knows what. When did you hear about a company, besides Apple, where an employee takes out the prototype that they are working on and leaves it in a local bar? twice? With that kind of security, they go around suing people? They are suing Samsung because their Galaxy Tab is in a shape of rectangle and has a color of black blatantly like an iPad.
And that rant is relevant to this particular issue in what way?
why would anyone want to try copy windows?
anyway, you cant sue people who copy ideas that you copied/stole anyway.
and are you saying that MS *never* sued anyone?
Yah, sure they did it the perfect way, thats why the EU and US have had them in court many times for their trading practices.
you forgot the 'joke alert icon'
> However, when is your last time that Microsoft took anyone to court just because they blatantly copied their product?
But why would anyone want to blatantly copy Microsoft's crapware? Did anyone make blatant copies of such fine products as the Morris Marina or Amstrad em@iler?
Of course, that very nice Mr. Ballmer from the very cuddly and not at all monopolistic Microsoft has definitely never ever sued or threatened to sue Google or Motorola or Samsung or Apple or HTC or TomTom or Foxconn or Barnes & Noble or...
"Why do they have to take Chinese food distributor just because God knows what."
I find your lack of sentence construction disturbing.
but, but ,but
It is shiny, it is apple... Oh wait. It blows chunks!
Does anyone know if this flaw reaches into the bowels of i[Tunes, Phone, Appstore, etc]?
Real Business Security
But then again Apple doesn't market their computers to the corporate world so they should be safe to use on Facebook and Twitter.
Yes, they do... Maybe not to banks or the like, but they really push at creative industries, such as graphic design, journalism etc. This would be a particular problem for journos becuase there is a tendancy to handle sensitive information be that whitsle blowing related documents or just a scoop, prior to publication.
"It just works!"
Trouble is, "just" isn't good enough for some people.......
that is just excellent
and not only just
Admittedly it's poor but...
You'd still need physical access to the machine to break into it an account like this.
If you have physical access to a Windows or Linux machine it's a trivial task to reset users and roots passwords to gain access.
I tried Lion for about a week before going back to 10.6 as it was impressively poor, there must be a way to back port drives from 10.7 into 10.6 so that Snow Leopard can be installed on new Macs.
"If you have physical access to a Windows or Linux machine it's a trivial task to reset users and roots passwords to gain access."
Err, no it isn't - for either OS. You can do it, assuming the HDD isn't encrypted, but it's not trivial.
To be honest
if I've got direct physical access to a Mac I wouldn't mess around doing this, I'd just reboot it into single-user mode and reset the root password. Since Apple actually disable root by default and get people to us "admin" or "Administrator", it's possible that it wouldn't even be noticed for a while that root was suddenly active and with the wrong password. Especially if I used root to set up a new admin account and disabled root again.
Sure it is, for Windows systems at least - it is as trivial as booting to the usb flash drive I always carry with me (and if the machine is old enough that it can't boot to USB, then there's that CD I have in my toolkit...).
Have to agree with Matthew 17
I always thought that if someone has physical or trusted network access to your computer, you're pretty much pwned. The details may vary according to to OS, but pwned you are.
Windows is most certainly trivial, you can access the passwords with a simple boot disk, takes 10 seconds.
Linux i cant comment on as I've never tried.
Physical access tends to be the end of security though.
Unless like me
you have put in a bios password, and set the boot sequence to HDD only. It will then not boot from CD USB or (heavens forbid) floppy (remember them). You can still open up the PC, zero the CMOS RAM by shorting it and try again, but that is not trivial to do without drawing some attention.
I still prefer my Linux, but the missus and the kids want their windows.
Would love to hear from the downvoter why, when you have physical access to the machine, that it is not trivial to reset/remove passwords on a Windows machine...
I agree that physical access pretty much spells the end of any security and can confirm that it is trivial to reset a user password (including root) with physical access to a linux box.
Apple don't need security. They only sell things to nice people who are too polite to mess around with someone else's password.
"Our prices discriminate because we're not allowed to"
Not good, but...
Not good and I hope they fix it. But you can only change the current user (just tried it myself), so until that fix ensure your machine is locked when you leave your desk for jokers of colleagues can cause a bit of troubled fun.
You can't change other users passwords, unless anyone is so stupid to work under an administrative account....Which probably are a lot of users :)
It is a poorly implemented bug as well since it a) doesn't ask for the current password, but b) doesn't ask for the new password to be entered twice. So the joker in the office with bad spelling can cause some real trouble :)
just drop a book on the keyboard. new password owrfqjerlkcsm, which will be displayed as *************
Maybe the BOFH will now allow shiny NEW macbooks in the workplace. The possibilities, the possibilities
Last point I promise
Upon further testing it doesn't change all password, the keychain stays secure and unaccessible and requires the old password. So effectively it 'only' provides access to unsecured items on that computer.
Apple is yet to take ....
.... security lessens which Microsoft took 10 years ago.
But they have good reputation for nice designs, so nobody cares.
Apple is yet to take ....
.... security lessens which Microsoft took 10 years to complete.
There, fixed it for ya!
Apple is yet to take ....
.... security lessons which Microsoft took 10 years ago/ to complete.
There, fixed it for both of ya!
any user can change any pass or just the user changing his own?
what's the big deal about hash?
hell default ubuntu let's you cruise around other people's home directories....
Physical access not needed
Don't need physical access for changing a password here, attacker just needs to be able to run commands... and we all know how easy it is to trojan OSX.