[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Mac Lion blindly accepts any LDAP password
From: InfoSec News <alerts () infosecnews ! org>
Date: 2011-08-29 9:26:52
Message-ID: alpine.DEB.2.02.1108290426410.25488 () infosecnews ! org
[Download RAW message or body]
http://www.theregister.co.uk/2011/08/26/mac_osx_lion_security_hole/
By Dan Goodin in San Francisco
The Register
26th August 2011
Apple's latest version of Mac OS X is creating serious security risks
for businesses that use it to interact with a popular form of
centralized networks.
People logging in to Macs running OS X 10.7, aka Lion, can access
restricted resources using any password they want when the machines use
a popular technology known as LDAP for authentication. Short for
Lightweight Directory Access Protocol, LDAP servers frequently contain
repositories of highly sensitive enterprise data, making them a goldmine
to attackers trying to burrow their way in to sensitive networks.
"As pen testers, one of the first things we do is attack the LDAP
server," Rob Graham, CEO of auditing firm Errata Security, said. "Once
we own an LDAP server we own everything. I can walk up to any laptop (in
an organization) and log into it."
The LDAP breakdowns in Lion aren't well understood because Apple still
hasn't admitted there's any problem. But according to threads here and
here, it affects Macs running Lion that use LDAP to authenticate users
to different desktop machines. After the initial login, Lion users can
log in with any password. Apple's latest operating system, which was
released last month, blindly accepts whatever pass code it's given.
[...]
_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic