Apple's OS X Lion Update Has Exposed Encrypted Passwords for Three Months

Face-paw

from securitywatch.com
Last Friday, a security researcher warned Mac users of a programming oversight in Mac OSX 10.7 Lion, that exposed encrypted passwords.

According to an email from David Emery, owner of DIE Consulting in Massachusetts, Apple accidentally left a debug option on in FileVault, OSX’s legacy encryption software.

As a result, the login password of a user who had logged in since the update in early February, was saved in plain text in a log file outside the encrypted area. In other words, anyone with administrator access to your computer—which could be anyone if you never log out of your account—can read the file containing the password, and log into the encrypted part of your disk.

The vulnerability affects FileVault users who upgraded from Snow Leopard (OSX 10.6) to Lion 10.7.3, but did not migrate to FileVault 2, the full-disk encryption software that came with Lion. According to Sophos, it does not appear to affect systems that started with Lion and upgraded to OSX 10.7.3.

"This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file," Emery wrote.

Emery also noted that affected users who’ve also been backing up their data with Time Machine are essentially storing their unencrypted passwords over and over again.

Lion users should immediately activate FileVault 2, which can be found in the Security & Privacy setting in System Preferences. Click the FileVault tab to enable.

And hopefully, after a unacceptable delay in patching a Java vulnerability left hundreds of thousands of OS X users infected with Flashback last month, Apple will patch this three-month-old vuln sooner rather than later.

In late April, Flashback authors tweaked the Trojan's code slightly to elude Apple's legacy anti-malware tool, XProtect. Many security researchers have criticized XProtect for offering insufficient protection, as it relies on exact fingerprints of the malware and can be bypassed with a slight change to malicious code. XProtect was originally released last May as part of Snow Leopard OS X 10.6, in response to weeks of media coverage over another enduring piece of Mac malware called MacDefender.