News.YC community is being much kinder towards Apple than it acted towards Dropbox for identical security bugs. Dropbox even had the issue resolved in hours.<p>I don't see anyone threatening to switch away from Apple or demanding an immediate personal response from Steve Jobs or ranting how this lapse is unforgivable.<p>And you can't say it's because this bug only affects a small portion of Lion users as the Dropbox bug also only affected 100 accounts.
Tells you something about Apple's testing methodology. QA team at Apple must be playing real fast and loose.<p>Being affected by 3 serious regressions in Lion (all filed as bugs and Apple closed them as duplicates, btw) - I get the feeling that Apple could do better at software engineering. (Alarms on iOS if you are still not convinced :) Just the fact that they release software that allows authentication without correct password means that they lack any kind of automated test case verification even for basic functionality - and this <i>is</i> basic functionality we are talking about, not some obscure thing that happens only when dozen different factors are combined or a thing that only happens once in billion tries.<p>Say what you will about Microsoft but in my several years of using Windows I rarely had these type of glaring issues even with the awful amount of hardware it supports. It might just be that Microsoft was forced to adopt better Engineering practices due to their situation - lot of complexity, huge impact potential, and lot of money at stake - 50% server market and the Server OS shares a whole lot with consumer version etc.<p>Not trying to troll - just my thoughts on something that I have always wondered - how Engineering culture varies between different successful software companies and to what effect.
This looks both real and a pretty serious issue (I wonder how it went by almost a month without getting picked up by the security community). There's an discussion about it on Apple's own forums, linked below, but the gist of it is that users can authenticate over LDAP using any password using the login screen, and can't authenticate at all using su:<p><a href="https://discussions.apple.com/message/15887083" rel="nofollow">https://discussions.apple.com/message/15887083</a>
Can someone give a quick lowdown on what's really happening here? I am assuming the Lion client is connecting to an LDAP server using the provided password, and regardless of the response from LDAP, Lion proceeds with the login?
This is only an issue when binding to an OpenLDAP server. There may be additional issues with LDAP on Lion server, but this problem as reported is an issue with Lion clients bound to servers running OpenLDAP without Kerberos or SSL.
First, this is a terrible bug. Shame on Apple for not rushing a fix, but...<p>Enterprises should not be doing immediate upgrades to any operating system, no matter how sparkly. I'm still waiting to upgrade my MacBook, and it's just me. No OS release goes off without a hitch (though there are some pretty impressive Linux releases!).
There have long been issues with LDAP in Mac OS X. They don't use a standard version. It doesn't work with PHP's LDAP module. And there have long been security issues, too: PHP was often out of date with security vulnerabilities. So much so that our campus ended up blocking all Mac web servers.<p>Here are several other issues I wrote up a couple of years ago, the last time I was forced to use Mac OS X server: <a href="http://edtechdev.wordpress.com/2009/01/31/dont-use-mac-os-x-as-a-server/" rel="nofollow">http://edtechdev.wordpress.com/2009/01/31/dont-use-mac-os-x-...</a>
Can anyone confirm or deny that this is only an issue when authenticating to an OpenLDAP server (i.e. does it also affect authentication against Active Directory?) I will check it when I get to the office and update here. This could potentially be very serious.
What alarms me is that on both of my computers with Lion, about half of the time just clicking on a name on the login screen works without entering the password. Happens on my friend's Lion install as well.
Why are they not using Kerberos and SSL though? Does this affect those users who actually do take security seriously or just the bare bones implementations that aren't safe anyways?