The mistake of a careless Apple programmer is causing login passwords to be displayed, in clear text, in a system-wide debug log file. When applied in specific configurations, installing update 10.7.3 on OS X Lion turns on the log and then displays the user information in human-readable text.
Mac users who made use of FileVault encryption on their machines before they upgraded to Lion and kept those folders encrypted with FileVault’s legacy version are vulnerable, while those using FileVault 2 should remain unaffected.
The flaw was discovered by security researcher David Emery, who talked about his findings in the Cryptome mailing list.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
– David Emery
The good news is that Apple has now released another update that patches up the FileVault bug while resolving a number of other issues:
- Resolved an issue in which the “Reopen windows when logging back in” setting is always enabled
- Improved compatibility with certain British third-party USB keyboards
- Addressed permission issues that may be caused if you use the Get Info inspector function “Apply to enclosed items…” on your home directory
- Improved Internet sharing of PPPoE connections.Improve using a proxy auto-configuration (PAC) file.
You can get the OS X 10.7.4 Lion update by running Apple Software Update or by downloading it here.