Researchers at Errata Security have pointed out a new security vulnerability in OS X Lion that could allow certain users to access restricted network resources without requiring a password.
The vulnerability is related to LDAP, which is a protocol that email and other programs use to look up information from a server. With this vulnerability, any machine using LDAP to access other resources could use any password at all as logins as long as they can successfully log in to Lion.
The issue is especially dangerous for enterprise environments, as the vulnerability makes it extremely simple for a user to access potentially sensitive resources that they aren’t authorized to access.
The hole apparently existed before Apple released the 10.7.1 patch for Lion, which raises significant concerns as to why it wasn’t patched at that time. It’s expected that Apple will patch this security hole in OS X Lion 10.7.2.