Begin forwarded message:
Subject: Bug in Mac OS X 10.7.3 exposes passwords in plain text
Date: 7 May 2012 10:54:03 PM AWST
Security researcher David Emery (via ZDNET) claimed to have discovered a bug
in Mac OS X 10.7.3 that stores login passwords in plain text. In a recent
newsletter, he claimed someone—we are guessing an Apple programmer— mistakenly
“turned on a debug switch (DEBUGLOG)” that stores the passwords in a
system-wide debug log file. Emery explained folders encrypted with Apple’s
“legacy” Filevault prior to upgrading to Lion are at risk:
…anyone who can read files accessible to group admin can discover the login
passwords of any users of legacy (pre LION) Filevault home directories who have
logged in since the upgrade to 10.7.3 in early February 2012… This is worse
than it seems, since the log in question can also be read by booting the
machine into firewire disk mode and reading it by opening the drive as a disk
or by booting the new-with-LION recovery partition and using the available
superuser shell to mount the main file system partition and read the file. This
would allow someone to break into encrypted partitions on machines they did not
have any idea of any login passwords for.
It would also allow them to access any content those usernames and passwords
are meant to protect. Fortunately, the file with stored passwords is only kept
for “several weeks” by default. However, it extends to Time Machine backups,
because the log file is also backed-up in plain text. Emery said the best
method to protect yourself until Apple fixes the issue is to simply use
FileVault 2:
One can partially protect oneself against the firewire disk and recovery
partition attacks by using Filevault 2 (whole disk encryption) which then
requires one know at least one user login password before one can access files
on the main partition of the disk… And one can provide further weaker
protection by setting a firmware password which must be supplied before one can
boot the recovery partition, external media, or enter firewire disk mode –
though there is a standard technique for turning that off known to Apple field
support (“genius bar”) persons.
We expect Apple will get around to fixing this bug quickly as it picks up more
press, but as ZDNET pointed out, the bug wasraised in the Apple Support
Communities three months ago with no replies. We will keep you updated when
Apple responds.
Related articles
Passware: Filevault can be brute force cracked during the span of a lunchbreak
(9to5mac.com)
Read more…
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
