news An Australian security expert respected for his work testing the defences of Apple software has published a method which appears to allow an attacker to break through the password defences of Cupertino’s latest Max OS X Lion operating system.
According to his LinkedIn profile, Patrick Dunstan is currently an information security specialist at the University of Adelaide, although he also works as a guest lecturer at the University of South Australia. Dunstan had previously attracted attention in late 2009 with a blog post explaining how a user who had already gained access to a Mac OS X system could extract a user’s password on that system.
In a new blog post this week — first reported by Secure Computing Magazine last week — Dunstan published an update to his technique. However, this time around he discovered a startling new fact with respect to Lion’s security protection — according to the researcher it leaves a crucial step out which could allow remote access to user passwords on the system.
In previous versions of Mac OS X, in order to access a users’ password, an attacker would need to break into what is referred to in Unix-based operating systems (such as Mac OS X) as a ‘shadow’ file — a file which stores critical data but can only be accessed by users with a high privilege — such as root access.
“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”
This means, according to the researcher, that it might be possible for an attacker to crack a users’ Lion password by attacking their system through a Java app hosted online. The attack vector would still require the owner of the computer running Mac OS X to allow the Java app to run — but it is possible.
Dunstan noted that due, no doubt, to Lion’s relatively short time being available for use, he could not find any major cracking software supporting the ability to crack encrypted passwords in the operating system — but he has published a simple script which allows users to do so. It is not yet clear whether Apple is aware of the issue, but a temporary workaround allows users to secure their system through setting different permissions on a certain file.
The news comes as Mac OS X continues to be subject to fewer security attacks than Microsoft Windows. Security researchers have stated in the past that there could be a number of reasons for the appearance of heightened security on the Apple platform, ranging from its Unix basis, which allows a high degree of fine-grained permissions to be used on files and applications, to the relative dominance of Windows in the desktop PC market.
However, researchers have also speculated that attacks on Mac OS X could increase in future, along with the platform’s growing popularity and use on mobile devices such as iPhone and iPads.
As this attack would likely require a user to allow an application to run on their system before it could succeed, I would regard it as less dangerous than many other security headaches out there, which would require no support from a user. However, what Dunstan’s blog post demonstrates is that Mac OS X is not inherently safe from security problems. They do exist on the Mac; and I’m sure we’ll see more of them as time goes on; especially aimed at devices such as iPads.
Image credit: Apple