Following the recent string of security issues around the
iPhone, Apple has been pursuing a number of strategies to thwart
vulnerabilities. When Flash was banned on the iPhone, Steve Jobs
cited security as a primary motivator: "Flash is the number one
reasons Macs crash" (iPhone
bans Flash). More recently, the company has been hiring up
infamous iPhone hackers (
Apple Hires Comex), cutting support for risky apps (
Westfield iPhone app in privacy fiasco), and broadly
discouraging customers from disabling native iPhone features. It
naturally comes as a major PR setback to find new drastic security
vulnerabilities in the firm's OS X Lion software.
OS X passwords are first encrypted, then stored in secure
locations on the drive as "shadow files". This process intends to
only allow end users to change their password (or admins in proper
authorization is first provided). Recent explorations into the OS
have unearthed a different story, the OS X Lion security structure
can be manipulated so that any user on the system can modify
passwords of other user accounts with relative ease. The root of
this appears to be a major oversight in the OS X Lion
authentication scheme (
Cracking OS X Lion Passwords).
To help protect your system, there are a few steps you should
consider taking in the short term:
Accounts: This can be done in the Users & Groups
section of System Preferences.
Log-in: Found under the "General" tab of "Security and
Enable Sleep and Screen Saver
Passwords: You should really have these on in the first
place, consider this a reminder.
For now, this should only pose a risk if a hacker has direct
access to your system and the ability to log in and access the
directory services. Properly restricting your environment as
suggested above should prevent Apple's latest security flaw from
becoming an issue for your firm. Please feel free to contact
CyberStreams if you have additional security questions.