Apple releases OS X Lion 10.7.4, fixes FileVault password bug

Apple releases OS X Lion 10.7.4, fixes FileVault password bug

Summary: Apple has released OS X Lion 10.7.4. The update includes performance improvements as well as a bunch of fixes, including the FileVault bug that was recently widely covered across the Web.

SHARE:

Apple today released the OS X Lion v10.7.4 update, which among other things fixes the FileVault password bug. I broke the news about this security vulnerability over the weekend (see Apple security blunder exposes Lion login passwords in clear text). Here's the introduction:

An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.

Here are the details of Apple's fix:

Login Window

Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: Remote admins and persons with physical access to the system may obtain account information

Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.

The issue was noted by an Apple user almost three months ago on the Apple Support Communities forum, but nobody got back to him. When security researcher David Emery discovered it as well and posted his findings to the Cryptome mailing list, and then I wrote my report for ZDNet, the story blew up. Apple never got back to my request for comment. Still, the important thing is that the issue has been fixed. In my conclusion, I also wrote this:

Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.

So, patching is not enough. Make sure to change your passwords as well.

The FileVault bug aside, here's the OS X 10.7.4 changelog:

  • Resolve an issue in which the "Reopen windows when logging back in" setting is always enabled.
  • Improve compatibility with certain British third-party USB keyboards.
  • Addresses permission issues that may be caused if you use the Get Info inspector function "Apply to enclosed items…" on your home directory. For more information, see TS4040.
  • Improve Internet sharing of PPPoE connections.
  • Improve using a proxy auto-configuration (PAC) file.
  • Address an issue that may prevent files from being saved to an SMB server.
  • Improve printing to an SMB print queue.
  • Improve performance when connecting to a WebDAV server.
  • Enable automatic login for NIS accounts.
  • Include RAW image compatibility for additional digital cameras.
  • Improve the reliability of binding and logging into Active Directory accounts.
  • The OS X Lion v10.7.4 Update includes Safari 5.1.6, which contains stability improvements.

You can read more here: About the OS X Lion v10.7.4 Update and About the security content of OS X Lion v10.7.4 and Security Update 2012-002.

See also:

Topics: Software, Apple, Operating Systems

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • What is wrong with this picture?

    Besides the fact Apple is treating us like red headed stepchildren.......

    It would be nice FOR A CHANGE and get some actual real communication from Apple.
    rhonin
    • Well

      You are actually meant to read the release notes for fixes, and this is pretty clear in this case. You're not hoping for an email or something are you?

      However, I do think Apple should communicate better with people discovering a problem, and should fix them with a little more urgency (or even, some urgency).

      But an I'm not sure that more lines of communication after the patch is really the problem.
      jeremychappell
  • Good job patching this Apple

    It only took 3 months to patch the patch that patched the patch that Apple built.

    Now I just have to wonder what Apple broke in this patch. I guess we'll find out when Apple charges us $30 for Mountain Lion.
    toddbottom3
    • I'm afraid

      I'm afraid I don't think there was actually that much broken - it's actually worse than that. Apple are taking rather too long to fix even trivially simple things (though it does seem to follow that complex things take longer). It does seem that fixes aren't high enough on the agenda.
      jeremychappell
      • Fixes...

        don't swell their bank account like all the new iToys they can sell. Their priorities are quite obvious.
        kstap
      • @kris_stapley

        Heaven forbid a corporation to make money for products they sell.
        Axsimulate
      • @kris_stapley

        Heaven forbid a company is mindful of ETHICS when deciding HOW to profit at the expense of another, or if they should... put yourself in their place and vice-versa but I will agree that is too difficult for Americans to do these days...
        HypnoToad72
    • Go play in traffic...

      please.
      gribittmep
  • Apple critic voices +1

    I think if the issue had not been widely covered across these websites as it was, this update would not be ready for today.

    Thanks to all critical voices on this and other sites for putting pressure on Apple. Let's keep let them know we are not happy.

    Downloading it right now...
    CMOtopics
    • Yes

      While I'd like to take issue, I really can't. Apple are becoming too slow to apply fixes. I think some of the coverage is rather hysterical, but there is a real problem here with the timeliness of Apple's response to problems.

      I don't want much more "communication" (I can read the notes that come with the updates, thanks very much) but I do want the updates to happen much more quickly after problem is discovered. I'd really like "push notifications" and "automatic updates" (as an option). I'm not sure I want an Apple version of "Patch Tuesday" though.
      jeremychappell
  • Good job Apple

    Especially the Safari 5.1.7 update!

    Finally, someone to make sure you don't run vulnerable Flash plugin and risk getting infected.
    danbi
    • Huh?

      "risk getting infected"? Huh? Infected with what? Tell me what virus or malware out there is using Flash?
      Gisabun
  • Errrr....

    The FireVault isn't wasn't really a bug. More like some idiot programmer forgetting to turn off something before the previous update was released.
    Gisabun