OS X Lion Security Issues

Following the recent string of security issues around the iPhone, Apple has been pursuing a number of strategies to thwart vulnerabilities. When Flash was banned on the iPhone, Steve Jobs cited security as a primary motivator: "Flash is the number one reasons Macs crash" (iPhone bans Flash). More recently, the company has been hiring up infamous iPhone hackers ( Apple Hires Comex), cutting support for risky apps ( Westfield iPhone app in privacy fiasco), and broadly discouraging customers from disabling native iPhone features. It naturally comes as a major PR setback to find new drastic security vulnerabilities in the firm's OS X Lion software.

OS X passwords are first encrypted, then stored in secure locations on the drive as "shadow files". This process intends to only allow end users to change their password (or admins in proper authorization is first provided). Recent explorations into the OS have unearthed a different story, the OS X Lion security structure can be manipulated so that any user on the system can modify passwords of other user accounts with relative ease. The root of this appears to be a major oversight in the OS X Lion authentication scheme ( Cracking OS X Lion Passwords).

To help protect your system, there are a few steps you should consider taking in the short term:

Disable Guest Accounts: This can be done in the Users & Groups section of System Preferences.

Disable Automatic Log-in: Found under the "General" tab of "Security and Privacy" controls.

Enable Sleep and Screen Saver Passwords: You should really have these on in the first place, consider this a reminder.

For now, this should only pose a risk if a hacker has direct access to your system and the ability to log in and access the directory services. Properly restricting your environment as suggested above should prevent Apple's latest security flaw from becoming an issue for your firm. Please feel free to contact CyberStreams if you have additional security questions.


Contact CyberStreams


Archive