Sunday, 18 September 2011

OS X Lion disappoints again - it's just like having no password at all

    OS X from apple has not seen a great deal of interest during development (if any) and one million downloads on launch day, reported by Apple, so you can expect that number was rounded. For an $30 OS this is certainly a disappointment.
Not only has one of the sites endorsed by Apple, Gizmodo, called it a failure but the cuts in manufacturing quality at Foxconn and security holes haven't certainly brought more popularity:
     Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. Hackers could easily take advantage of the known bug if they have local access to the computer and Directory Service access. Disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts are as efficient to keeping your Mac secure as duck-taping the lid. We recommend upgrading to a Linux based OS or Windows.