After Apple released Mac OS X Lion, users discovered a number of security flaws in the company's latest operating system and its associated components. Some of these flaws posed serious risks to corporate networks, and many experts recommended that enterprises not use Lion at all. Apple has since released two updates that address these Lion security flaws, so the time might be right to consider upgrading Apple computers to Lion.
Mac OS X Lion security concerns
One of the most talked-about Lion security vulnerabilities was related to the Lightweight Directory Access Protocol (LDAP), which directory services such as Microsoft's Active Directory use to authenticate users to various network resources. LDAP services are instrumental in protecting sensitive data and ensuring that only approved users have access to that data.
Once authenticated by the LDAP services, users can participate in the network to the extent they've been granted access privileges. Users who logged on to computers running the new Mac OS, however, didn't need to be granted explicit permissions. Once they signed on to their Macs, they could use any passwords they wanted to access secure resources.
Lion also made it possible for anyone to change the password of a system's current user without providing the user's original password. Any unattended Lion computer could be an open target for malicious users. In addition, users granted remote access to the computer could also change the current user's password, so primary users could be locked out of their own machines without ever knowing what hit them.
Lion also made it possible for any user to access the password hashes of other users on that system, regardless of the privileges granted to the first user. With a brute-force cracker -- software that deciphers passwords -- the unscrupulous user could acquire the passwords of users with more extensive privileges in order to access sensitive resources on the network.
And if those Mac OS X Lion security flaws weren't enough, Lion had numerous others that put the enterprise at risk, including the following:
- Apache vulnerabilities that could lead to denial-of-service attacks
- Unencrypted CardDAV data (in Address Book) susceptible to interception
- The ability for remote attackers to access new Time Machine backups
- Sensitive data at greater risk of exposure from malicious websites
- Vulnerabilities in PHP, X11, WebDAV and QuickTime that could lead to arbitrary remote code execution
These flaws would give any enterprise pause before implementing Lion.
Getting the fix on Mac OS X Lion security flaws
Die-hard Mac fans were no doubt disconcerted by the number of vulnerabilities discovered in Lion. And for each one of them, there was probably a Windows veteran wearing a smug smile. Fortunately, Apple has addressed the major Lion security concerns with two major updates: 10.7.2 and 10.7.3. (Update 10.7.1 was concerned primarily with stability and compatibility problems.)
In Update 10.7.2, Apple provided 25 security fixes, including two that addressed flaws in Open Directory, Mac's native directory service. The vulnerabilities that were fixed allowed an unauthorized user to read another user's password data and change that password without providing the original one. The fixes also addressed the LDAP-related issue in which an unauthorized user could provide any password to access restricted resources. In addition, the 10.7.2 update resolved problems related to Apache, WebDAV, PHP, QuickTime, Python and several kernel-level processes.
More about Mac OS security:
OS X antivirus software: Enterprise virus protection for the Mac
Mac enterprise security: Going beyond Mac malware scans
Malware on a Mac: How to implement a Mac antimalware program
Mac Lion shares iPad's iOS features as Apple aims for interoperability
One in five Macs harbors malware, report reveals
The 10.7.3 update, released this past February, was even more extensive than the second one, providing 35 fixes related to Lion security. Many of the fixes addressed problems associated with OpenGL, PHP, WebDAV, QuickTime and X11, in which remote attackers could execute arbitrary code against a Lion computer. In addition, the 10.7.3 update addressed issues related to Address Book, Apache, Time Machine, Webmail and a number of other components.
Many of the concerns that an enterprise might have had about implementing Lion appear to have been addressed by Apple's updates. That's not to say the operating system is without any vulnerabilities, but if more Mac OS X Lion security flaws exist, they have yet to be discovered. Besides, what OS is ever fully secure? For example, Windows 7 is known to have vulnerabilities related to the Ancillary Function Driver, Windows Packager, DirectX, Windows Media Player and several kernel-level components.
So, Lion is looking pretty good right now, especially compared to what it looked like when it was first released. Always make sure that any computers running the Lion OS are configured with the most current updates.
ABOUT THE AUTHOR:
R.H. Sheldon is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation.
This was first published in April 2012