An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
Here are the details of Apple's fix:
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system may obtain account information
Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.
The issue was noted by an Apple user almost three months ago on the Apple Support Communities forum, but nobody got back to him. When security researcher David Emery discovered it as well and posted his findings to the Cryptome mailing list, and then I wrote my report for ZDNet, the story blew up. Apple never got back to my request for comment. Still, the important thing is that the issue has been fixed. In my conclusion, I also wrote this:
Apple needs to fix this issue as soon as possible. Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.
So, patching is not enough. Make sure to change your passwords as well.
The FileVault bug aside, here's the OS X 10.7.4 changelog:
You can read more here: About the OS X Lion v10.7.4 Update and About the security content of OS X Lion v10.7.4 and Security Update 2012-002.
See also: