Yeah, that one is a serious whoops. How does something like that make it out of QA? I would have imagined that Apple’s security and/or QA folks would have caught something as basic as this issue.

From The Register:

People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way in to sensitive networks.

“As pen testers, one of the first things we do is attack the LDAP server,” Rob Graham, CEO of auditing firm Errata Security, said. “Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it.”

I would hazard that would constitute a problem. Wouldn’t you?


Article Link

(Image used under CC from Alex E. Proimos)

Leave a Reply

Your email address will not be published. Required fields are marked *