Another week, another Apple Mac OS X security issue.
The latest version of the operating system, Mac OS X 10.7.3 Lion, under certain conditions generates a file that exposes user passwords in plain text. The file is visible to all users, including users who "slave" the machine as a mounted disk accessed by a second Mac over a FireWire connection.
Ironically, it appears that only the most security-conscious Mac users who use Apple's file-encryption options are affected.
The file, called DEBUGLOG, is generated when a Mac that uses Apple's older encryption option is upgraded from Mac OS X 10.6 Snow Leopard to Lion.
DEBUGLOG appears to be a working log used by Apple programmers to troubleshoot or "debug" problems, and which was accidentally not deleted from the latest update of Lion. (It's not clear whether earlier versions of Lion are also affected.)
A note by Boston-area software consultant David I. Emery detailing how the flaw works was posted on Saturday (May 5) to the Cryptome security blog. Tech-support forum mentions of the flaw date back to early February, just after the 10.7.3 update was pushed out by Apple's servers.
"As someone said here recently," noted Emery in his note, "carefully built crypto[graphy] has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open."
Here's how the flaw occurs: Beginning with Mac OS X 10.3 Panther, released in 2003, Apple offered a security option called FileVault, which would encrypt a Mac user's Home folder.
Each user's Home folder, which contains all files and documents created by that user, were encrypted separately. Applications and system files, which are placed outside the Home folders, were not encrypted.
With Mac OS X Lion, released in 2011, Apple introduced FileVault 2, which encrypts the entire hard drive.
DEBUGLOG, the debugging file that exposes the password, is generated only when a Mac that contains FileVault-encrypted user Home folders is upgraded from Snow Leopard to Lion — and only if the user chooses not to enable FileVault 2, but instead to continue using the older FileVault.
The user's Home folder will still be encrypted, but DEBUGLOG pops up in a different, unencrypted directory, and can be read by any user. The exposed password will allow any user to open the encrypted Home folder.
"This is worse than it seems," wrote Emery in the Cryptome blog posting, "since the log in question can also be read by booting the machine into FireWire disk mode and reading it by opening the drive as a disk, or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for."
As Chester Wisniewski on Sophos' Naked Security blog and Emil Protalinski on ZDNet's Zero Day blog pointed out, backup software such as Apple's Time Machine would also create backup copies of DEBUGLOG on external hard drives, further compromising the security of the affected systems.
Any Mac user who used FileVault on machines running Snow Leopard, and who has since upgraded to Lion, should implement the full-disk-encrypting FileVault 2 or another form of encryption software. After that, he or she should change his login password immediately.
- 10 Pros and Cons of Jailbreaking Your iPhone or iPad
- FAQ: The New Mac Virus and Apple Anti-Virus Options
- 10 Best Mac Anti-Virus Software Products
© 2012 SecurityNewsDaily. All rights reserved