Apple update to OS X Lion exposes encryption passwords

[Jack]

Sophos wrote:Apple's had a rough time lately on the security front. Last month it was caught out having delayed the release of a security update for Java, resulting in more than 600,000 Macs being recruited into a botnet. Now a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed.

On Friday, David Emery posted to an encryption mailing list disclosing this flaw in the latest OS X Lion security update, 10.7.3, which was released in February.

It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

To my knowledge, this only applies to users of Snow Leopard who used the FileVault encryption option for their home directories. It does not impact users of FileVault2 who have turned on Apple's full disk encryption, nor does it impact users who did not upgrade from Snow Leopard.

Read more: http://nakedsecurity.sophos.com/2012/05/...passwords/