Latest Apple Security Update Exposes User Passwords
The issue seems to affect users who had files encrypted with Apple’s built-in Filevault system prior to installing Max OS 10.7, or Lion, and continued to use the older version of Filevault. Filevault 2 users, and users who migrated their files into Filevault 2, appear to be unaffected.
For these unhappy users, upgrading to OS 10.7.3 creates a debug log file stored in a non-encrypted portion of the computer. Within this file are the passwords for every user on the system since the update was installed. So if you were using FileVault as described above and then downloaded the update last week, there is one week of login information. For users that downloaded the update when it was released several months ago, there are several months worth of login information.
This security issue poses the biggest risk for anyone storing valuable information in Filevault, and especially computers with multiple users. The most direct way for an intruder to obtain the log file with the passwords would require them to have physical access to the computer, and boot the Mac as a FireWire drive. To make matters worse, the log file has likely been copied — perhaps numerous times — in every backup of the Mac since the update was applied.
According to David Emery on the Cryptome mailing list, which spread news of the vulnerability this past weekend, there are a few precautions that users can take:
One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk.
And one can provide further weaker protection by setting a firmware password which must be supplied before one can boot the recovery partition, external media, or enter firewire disk mode – though there is a standard technique for turning that off known to Apple field support (“genius bar”) persons.
Startlingly, ZDNet reports that this was not a mere oversight, but a debugging tool left active by Apple when the update was pushed to users. That means that someone, somewhere deep within Cupertino, is in a lot of trouble.
- Flashback, the nasty Mac trojan that had hundreds of thousands of infected computers
- Employers, colleges, want you Facebook passwords
Have a tip we should know? tips@themarysue.com