Apple today released the OS X Lion v10.7.4 update, which among other things fixes the FileVault password bug. I broke the news about this security vulnerability over the weekend (see Apple security blunder exposes Lion login passwords in clear text). Here's the introduction:
An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
Here are the details of Apple's fix:
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system may obtain account information
Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.
The issue was noted by an Apple user almost three months ago on the Apple Support Communities forum, but nobody got back to him. When security researcher David Emery discovered it as well and posted his findings to the Cryptome mailing list, and then I wrote my report for ZDNet, the story blew up. Apple never got back to my request for comment. Still, the important thing is that the issue has been fixed. In my conclusion, I also wrote this:
Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.
So, patching is not enough. Make sure to change your passwords as well.
The FileVault bug aside, here's the OS X 10.7.4 changelog:
- Resolve an issue in which the "Reopen windows when logging back in" setting is always enabled.
- Improve compatibility with certain British third-party USB keyboards.
- Addresses permission issues that may be caused if you use the Get Info inspector function "Apply to enclosed items…" on your home directory. For more information, see TS4040.
- Improve Internet sharing of PPPoE connections.
- Improve using a proxy auto-configuration (PAC) file.
- Address an issue that may prevent files from being saved to an SMB server.
- Improve printing to an SMB print queue.
- Improve performance when connecting to a WebDAV server.
- Enable automatic login for NIS accounts.
- Include RAW image compatibility for additional digital cameras.
- Improve the reliability of binding and logging into Active Directory accounts.
- The OS X Lion v10.7.4 Update includes Safari 5.1.6, which contains stability improvements.
You can read more here: About the OS X Lion v10.7.4 Update and About the security content of OS X Lion v10.7.4 and Security Update 2012-002.
- What Microsoft can teach Apple about security response
- Microsoft: Macs 'not safe from malware, attacks will increase'
- Osama bin Laden didn't use encryption: 17 documents released
- Cross-platform malware exploits Java to attack PCs and Macs
- Syria pushing malware via Skype to spy on activists
- 3 million bank accounts hacked in Iran