The application System Preferences is one example of Apple’s problematic closed-source security
components. In a default OS X installation, any user in the admin group can do pretty
much without further authentication. He or she can start and stop services, change user interface
settings and create new user accounts. While this does not look like a major problem so far, this
ability can also be used to create users and add them to the admin group without authentication.
With this, an attacker can immediately get root within five seconds. This is something the
author discovered together with Jan Manuel Tosses. The author reported this to Apple together
with a simple exploit [4] written in AppleScript in October. As it is AppleScript wrapped in
shell, the exploit even works from remote via ssh and as a normal user who is not even in the
admin group as long as a user of the admin group is logged in. So far, Apple has not fixed the
issue.
A fix would be to enable the Require password to unlock each secure system preference
radio button in the Security pane of the System Preferences.