Apple has taken a bit of a beating in terms of security so far this year, with the recent Flashback trojan and other threats still fresh on the minds of many. It’s worth noting that so far these issues haven’t been Apple’s fault. Unfortunately, the same cannot be said of a new security bug recently pointed out by Security researcher David Emery.
An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
The issue applies to users who applied Apple’s FileVault protection to their device before upgrading to Lion, and are therefore using older versions of FileVault. To make matters worse, login passwords can also be extracted from Time Machine backups, as well as by booting the machine into Target Disk Mode. User passwords can also be accessed through OS X Lion’s recovery partition.
It’s a pretty significant threat, as it potentially allows anyone to break into protected accounts and access and view any files they want to without knowing the username and password, putting users’ sensitive information at risk.
The good news, however, is that the security hole required direct access to the machine and its backups, applies only to a small number of users, and can easily be fixed by using the latest version of FileVault.
Fortunately, the file that contains the plain text passwords is only kept for a few weeks, although those that use Time Machine backups would continue to remain at risk. The best way for users to protect themselves until the issue is fixed is to simply apply FileVault 2 in OS X Lion.
Apple is likely to release a fix for the issue in the near future, given that so much attention has now been called to the matter, although the bug was raised in the Apple Support Communities three months ago with no replies.
We’ll keep you updated as soon as we hear anything new about the issue.