[general_re]

From a quick scan, it looks like the problem is on the client end - the DHCP client is set up to implicitly trust LDAP information it gets from the DHCP server, so you can hijack the OS by pointing it to a malicious LDAP server via DHCP. If LDAP is disabled on the client end, you should okay, but if not, you could be in major trouble - the malicious LDAP server can replace the normally disabled root account with its own functioning root account. Major trouble.

[Bush2000]

2003-10-09 Initial version of this advisory
2003-10-09 Apple Computer notified
2003-10-09 Apple Computer confirmed receipt and forwarded to eng. team
2003-10-11 Minor edits, also added "Philosophical Issues" and "Path to Root"
2003-10-14 Apple Computer assigns specific point of contact
2003-10-14 Requested confirmation of issue with Apple Computer
2003-10-15 Apple Computer confirms issue
(2003-10-24 Original deadline given to Apple for acknowledging issue)
(2003-10-24 Mac OS X 10.3 is released with this known issue)
(2003-10-28 Mac OS X 10.3 Security Update released, does not address issue)
2003-10-28 Requested update of fix status from Apple Computer
2003-10-28 Apple Computer proposes Nov. 3 fix date
2003-10-29 Apple Computer reneges on Nov. 3 date
2003-10-29 Requested fix in "2 or 3 weeks" from Apple Computer
(2003-11-04 Mac OS X 10.3 Security Update released, does not address issue)
(2003-11-15 Mac OS X 10.3.1 is released with this known issue)
2003-11-17 Requested update of fix status from Apple Computer
2003-11-18 Requested update of fix status from Apple Computer
(2003-11-19 Mac OS X 10.3.1 Security Update released, does not address issue)
2003-11-19 Apple Computer replies "scheduled to go out in December's update"
2003-11-19 Deadline of Nov. 26 given to Apple Computer
2003-11-25 Minor edits, made "Path to Root" a little more work for the script kiddies
2003-11-26 Advisory issued (48 days after initial vendor notification)

According to the log, it's taken Apple almost a month and a half to address this bug. Makes MS look responsive.

[litany_of_lies]

Just talked to tech support for Road Runner and lucked into someone who has a Mac. FWIW, he understands the nature of the problem but doesn't see it as a significant issue for RR Mac customers. Went and made the suggested settings changes anyway.