On Mac OS X 10.7.3
Apparently, with the latest Lion security update, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the userís password in clear text!!
Looks like an Apple programmer left (by accident?) a debug flag in the most recent version of Mac OS X 10.7.3.
If you apply the latest OS X Lion update, it turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. AND... The passwords are stored in clear text!!
Apparently, since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree.Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
The flaw was first reported by a security researcher David Emery, who posted his findings to the Cryptome mailing list. The bug has not been corrected by any subsequent updates. Emery explains the severity of the issue:
"This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for."
This update was released on February 1, 2012, meaning a lot of people already updated and weeks of accessing encrypted folders is now available for anyone to see.
Just a few users have noticed the bug, and those who did, Apple Support just ignored them...
Apple needs to fix this issue ASAP. Meanwhile, be extra careful and be sure to change your password now and after the patch fix!
NEWS SOURCE: http://www.zdnet.com/blog/security/a...ear-text/11963Even when a patch is made available, it will be impossible for the company to ensure the log file has been deleted, especially given all the places it may have been backed up. This means your password could still be out there even after you update, so after you do, make sure to change it.
Our thanks to 'Gauss' for this news story!