A surety error in OS X 10.7.3 exposes passwords on systems with musical accompaniment for the pre - Lion FileVault place - directory encoding feature . This security defect , apparantly produce when Apple left debugging code in the 10.7.3 update , is only triggered with Lion systems in which legacy support for the original FileVault is retain and when enter with such an account .
Mac systems using whole - disk encryption withFileVault 2(introduced in Lion ) are not involve . It is also unlikely that revealed word can be obtained by malicious parties , unless raw malware look specifically designed to hunt for the exposed logins .
Firstreported in February by a userregistered as “ tarwinator ” in Apple ’s forums , but discount , the security measure error became widely reported this weekend when David Emerysent a office to the Cryptomesecurity mailing list describing the problem .
Emery noted in his post that one way of life of examining the log data file in which the password can be happen require an chronicle with administrative access on a booted Mac OS X organization and physical approach to the system ; no administrative password is call for to read the logarithm . However , because the data file is outdoors of encrypted home directory , restart a system in FireWire Disk Target mode allows anyone with their hands on the computing gadget to learn the file on another Mac . A Lion system can also be rebooted into the Lion Recovery manner ( holding down Command - R after restart ) , and Terminal plunge ( Utilities - > Terminal ) , and then the log file may be take in without any password . ( The file in question is in the Unix / var / logdirectory , and shout out secure.log . )
This was clearly an error in computer code follow-up , as the substance in the file aver “ DEBUGLOG ” in all caps . Developers often put in message that are sent to a log file for such design , but should be slacken off those in codification for revue before release , and the quality sureness ( QA ) process companies follow in sending out updates to any software system should catch debugging subject matter that are unintentionally left on . It ’s also baffling that any debugging would reveal a countersign because of the risk of the logging code being allow include by accident , as occurred here .
Apple did not respond to inquries regarding this issue .
Who’s at risk
There ’s no elementary solution for this problem that does n’t involve a bit of pettifoggery , even after Apple releases a patch to prevent the password from being log as exonerated textual matter . But many ( perhaps most ) Lion users wo n’t be affected . If you never enable FileVault on a computer prior to upgrading to Lion or purchased a data processor with Lion installed , you are not at risk . You ’re also not at risk of infection if you did n’t update Lion to 10.7.3 , or if you never lumber in as a user with a FileVault account with 10.7.3 instal .
The only users with the slightest exposure used FileVault in Snow Leopard or an earlier handout and , whenviewing the Security & Privacy taste pane after upgrading to Lion , clicked Keep Using Legacy FileVault when prompted . ( A duologue reads “ You ’re using an quondam interlingual rendition of FileVault ” when you open that loony toons in such a circumstance . ) If you clicked Turn Off Legacy FileVault , and never restarted the system in Mac OS X 10.7.3 and then lumber in to a protected exploiter account prior to that , you ’re fine . ( Lion ’s FileVault 2 encrypts an entire disk , and as noted originally , this fault does n’t reveal its countersign . )
If you go this card , then the only problem you have is that the “ secure.log ” file that take the debugging info from a 10.7.3 login to a protected directory fall into the hand of a malicious party who can then employ that logarithm to obtain your countersign . This could come about if someone with purport to get at your files had strong-arm access to your automobile while you were enter or could resume it in Lion Recovery or FireWire Target Disk mode .
Time Machine does not back up several known Indian file , including /var / log logarithm files , so there ’s no risk of infection with Time Machine backups . But there is a hazard if you create clon in which all files are second up for an identical transcript , or any fill-in made using third - party software that copies all file , even lumber . Many third - party accompaniment packages take out log file cabinet , but not all .
Given the recent Flashback malware that impact as many as 600,000 mackintosh , it ’s not preposterous that future malicious software would attempt to scan logs for debugging watchword in purchase order to earn administrative access to Macs as well .
How to fix the problem
The only curative solution until Apple patch the trouble is to vary the password on a FileVault accounting after every system restart or when switching accounts to enter . A changed password is n’t logged . You could also incapacitate FileVault memory access through the Security & Privacy pane , which exposes you to risk of your system of rules being stolen and files recollect , but reduces the chance of password theft .
For single - user system , or multi - user Macs in which no one is concerned about hacking each other ’s chronicle , you could also turn on FileVault 2 for more effective encoding and system protection . FileVault 2 does n’t individually encrypt each user ’s directory so that other drug user on the same arrangement would have no access ( bill - base permissions does n’t protect against decision maker access code ) , but it does prevent access to a organization without a password to one or more accounts enabled for kick - clip access with FileVault 2 . Read ourComplete guide to FileVault 2 in Lionon how to proceed .
What ’s commove about this flaw is n’t how many Mac users are expose to it , but how simply sloppy it is , coming on the heels of Apple ’s bankruptcy to take Oracle ’s Java update and let go its own version for Mac OS X in a timely fashion . Apple is behind the security eight - orchis , a position it rarely witness itself . It want to step up its game .
