Summary: With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the users password in clear text.
In specific configurations, applying OS X Lion update 10.7.3 turns on a system wide debug log file that contains the login passwords of every user who has logged in since the update was applied.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable.
By default, no files are encrypted, but encryption can be enabled by users on a per file, per directory, or per drive basis.
The flaw was first reported by a security researcher David Emery, who posted his findings to the Cryptome mailing list.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new with LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.
We’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree.
Administrators can set the maximum file size for archived messages, as well as access a complete archiving activity log with the ability to retry entries that failed due to the third party archiving tool.
The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
This leak of credentials could be catastrophic for businesses that have relied on the FileVault feature in Macs for years.
FileVault is intended to protect sensitive information stored by providing an encrypted user home directory contained in an encrypted file system mounted on top of the user’s home directory.
Thus an attacker cannot extract information from still encrypted files and folders.
If an employee has their Mac stolen, however, anything they encrypted, as well as anything that requires those credentials, can be accessed without hindrance if the vulnerable configuration is in place.
If your hard drive is stolen, it doesn’t matter that the backups require a key to read.
The backed up log file contains the required password stored in clear text.
In addition to theft or just plain physical access, it would be possible for cyber criminals to write very specific malware that knows where to look on a targeted system.
While this would be difficult to implement, the lure for cyber criminals is obvious; anything encrypted, especially by an enterprise employee, has the potential to be very valuable.
This means for users who updated immediately, weeks of accessing encrypted folders is now available for anyone to see.
With YouMail, users can organize their voicemails, access them through any computer or email, connect to social services such as Facebook and Twitter and much more.
The good news is that it isn’t the full three months since the log file is only kept by default for several weeks.
Users on the Novell Forums noticed and have been discussing the issue since last week.
On the Apple Support Communities, at least one user noticed the flaw exactly three months ago, and asked for an explanation.
Here’s what he wrote:we’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
A simple bug in how the keys are secured, managed, or accessed can lead to a massive unraveling, as we’ve seen here.
Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up.
See also:Flashback malware exposes big gaps in Apple security responseMicrosoft: Macs ‘not safe from malware, attacks will increase’Osama bin Laden didn’t use encryption: 17 documents releasedCross platform malware exploits Java to attack PCs and MacsSyria pushing malware via Skype to spy on activists3 million bank accounts hacked in Iran.
Adrian Zuckerberg is a business journalist based in Sydney, Australia. Adrian has a passion for financial markets and breaking news stories and loves writing about business news, stock market, and economic opinions that matters most to its audience. Adrian spends a lot of time discovering and researching latest financial markets and industry news stories in order to make sure the latest and greatest stories are brought to you first on BigBoardNews.com.
