Two serious security flaws exist in Apple's recently released Mac OS X 10.7 Lion, the worse of which allows an attacker to change a user's administrative password without first knowing the target's original password.
Reported on the security blog Defence in Depth, the bugs enable non-administrative users of a computer running Lion — including users who've been given remote access — to change the victim's password without first verifying that they are, in fact, the legitimate owner of the computer.
In previous versions of Mac OS X, such as Snow Leopard, the only way to change the administrative password was to first enter the current one. That's no longer necessary. The security slip-up could have serious consequences, as it would effectively give an attacker privileged, unauthorized access to another person's computer — and freeze out the real owner.
"It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked," Defence in Depth's Patrick Dunstan wrote.
Another Lion flaw discovered by Dunstan enables a skilled hacker to view the computer's password hash data by extracting it from the Directory Services file.
(Password hashes are the results of running passwords through encryption algorithms. Those algorithms are supposedly unbreakable, but in truth, automated password-cracking software can run through the millions of possible results from a fixed algorithm to "brute force" the passwords into plain text).
It's important to note that these password attacks don't yet allow a victim's computer to be exploited by far-off strangers; the hacker must have either physical access to the target system, or have been granted remote limited-user access to it.
But in the seconds it would take to perform these password takeovers, Defence in Depth says a physical attacker could also visit a Web page rigged with malicious code that would then connect a remote attacker to the compromised machine. From there, the possibilities for exploitation are endless.
To stay safe, make sure you use a very strong password, and never leave your Mac unattended and logged in anywhere with public Wi-Fi, where the person sipping a latte next to you might waiting to pounce.
