Yeah, that one is a serious whoops. How does something like that make it out of QA? I would have imagined that Apple’s security and/or QA folks would have caught something as basic as this issue.
From The Register:
People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way in to sensitive networks.
â€œAs pen testers, one of the first things we do is attack the LDAP server,â€ Rob Graham, CEO of auditing firm Errata Security, said. â€œOnce we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it.â€
I would hazard that would constitute a problem. Wouldn’t you?
(Image used under CC from Alex E. Proimos)