Mac users are still reeling from the Flashback, the nasty OS X malware which illustrated painfully that even Apple users are vulnerable to attack. Now it seems that Apple is following that up with the embarrassing revelation that the latest update, Mac OS 10.7.3, exposes passwords for certain users. The scenario where this information is exposed is very specific, but it is nonetheless disquieting.
The issue seems to affect users who had files encrypted with Apple’s built-in Filevault system prior to installing Max OS 10.7, or Lion, and continued to use the older version of Filevault. Filevault 2 users, and users who migrated their files into Filevault 2, appear to be unaffected.
For these unhappy users, upgrading to OS 10.7.3 creates a debug log file stored in a non-encrypted portion of the computer. Within this file are the passwords for every user on the system since the update was installed. So if you were using FileVault as described above and then downloaded the update last week, there is one week of login information. For users that downloaded the update when it was released several months ago, there are several months worth of login information.
This security issue poses the biggest risk for anyone storing valuable information in Filevault, and especially computers with multiple users. The most direct way for an intruder to obtain the log file with the passwords would require them to have physical access to the computer, and boot the Mac as a FireWire drive. To make matters worse, the log file has likely been copied — perhaps numerous times — in every backup of the Mac since the update was applied.
According to David Emery on the Cryptome mailing list, which spread news of the vulnerability this past weekend, there are a few precautions that users can take:
One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk.
And one can provide further weaker protection by setting a firmware password which must be supplied before one can boot the recovery partition, external media, or enter firewire disk mode – though there is a standard technique for turning that off known to Apple field support (“genius bar”) persons.
Startlingly, ZDNet reports that this was not a mere oversight, but a debugging tool left active by Apple when the update was pushed to users. That means that someone, somewhere deep within Cupertino, is in a lot of trouble.
- Flashback, the nasty Mac trojan that had hundreds of thousands of infected computers
- Employers, colleges, want you Facebook passwords