OS X Lion Has Major Vulnerability That Leaves Our Macs At Risk


Mac-os-x-Lion (1)

Still enjoying Apple’s latest operating system on your Mac? With over 250 new features for $29.99, most of us couldn’t be happier with the upgrade… until we find out that our Macs are now at risk from a major vulnerability in OS X Lion.

The issue should be a concern to anyone who uses OS X Lion, but it’ll be most worrying to the enterprise environment, according to security firm Errata Security. The vulnerability is related to Lightweight Directory Access Protocol (LDAP), and allows a person to use any password to get past Lion’s initial login process.

Rob Graham, CEO of Errata Security, told MacNN:

“Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it.”

The issue was apparently discovered well before OS X 10.7.1 was released, but is still present in the latest release — begging the question of why this wasn’t patched before the first Lion update went public. It’s unclear whether the issue has been fixed in 10.7.2, which is already being developed by Apple and has been released to developers as a beta, but we’re guessing that now it’s been made famous Apple will promptly do something about it.

So what do we do in the meantime? Well, according to MacNN, steer clear of Lion:

In the meantime, some security experts and enterprise IT staff are advising against using Lion Macs, at least in large numbers. The problem is said to be restricted to Macs upgraded to Lion, though, and protocols that compete with LDAP appear to be safe.

  • Ed Schmenkman

    You read the MacNN article differently than I did.  I think this is the most important line, “If a machine is using LDAP to authenticate access to other resources, a
    person can use any password for logins as long as they get past Lion’s
    initial login process.” 

    I understand that to mean, you must be using LDAP to authenticate to other resources, AND the hacker has to get past the initial log in to exploit the security hole. So this shouldn’t be an issue if you aren’t using LDAP.  And if a hacker was able to get past the initial login you probably have other security issues.

  • Bob

    This article is stupid!!!  I don’t care how secure any computer is, if someone takes over your LDAP servers and your computer authenticates to that LDAP sever nothing will stop that person from accessing your system.

  • CharliK

    Wait a second. Did I read that right. He said “I can walk up to any laptop (and presumably desktop) in an organization” 

    Not. “I can go online and connect and get right in” but “I have to get into your office and be physically on your computer to do anything”

    This is like that guy saying he could make the batteries in your laptop blow up. If he could get his hands on your laptop and figure out your log in password etc. 

    So basically this is likely not an issue at all since few places let any schmo off the streets in so he can play on their stuff

  • Ed_Kel

    Why is this a big deal? Enterprise Macs are most likely set up as workstations anyways.. 

    Excuse me while I go log into my coworker’s computer…

  • Mike Glicksman

    what does this have to do with IOS?

    Or more importantly, the average personal Mac user?

  • Cold_dead_fingers

    I’m not worried because I’m a one person business :D

  • UNOwenNYC

    The article’s about OSX LION.

    So, why does the FIRST LINE OF 2nd PARAGRAPH say; ‘…this issue should concern anyone who uses iOS…’


    Nowhere else is iOS mentioned, so, what’s that a ‘gaffe’?

  • KillianBell

    My apologies — iOS was an error which has now been rectified. Thanks for your comment.

  • Alfred Kee

    Who uses just LDAP for authentication?  Don’t most implementations use keberos authentication and LDAP just for directory services.  Most LDAP is open.  You get a list of machines names, usernames, phone numbers and addresses…  I wish there would be more “journalism” nowadays.  Even the source articles don’t really explain how 1) this issue results in one “owning” the LDAP server and 2) how owning the LDAP server allows you to log into any computer.