Sunday, May 06, 2012

Mac OS X 10.7.3 bug causes passwords to be logged in clear text

Despite what Mac fans like to think, Mac OS X is not invulnerable to malware, and neither is it bugless, either. A debug flag was left on in the most recent version of Mac OS X, 10.7.3, which turns on a system-wide debug log file that contains the login passwords - in clear text - of every user who has logged in since the update.

Security researcher David Emery first reported the bug on Friday, to the Cryptome mailing list. While the bug has not been corrected by any subsequent Mac OS X updates, it has also been discovered by end users who have posted to Apple's support forums.

The vulnerability is isolated to a specific use case, though. A user would have had to have used the legacy FileVault encryption on their Mac folders prior to Mac OS X Lion, and stayed with FileVault when they upgraded to Lion. FileVault 2, which encrypts the entire disk, is unaffected by the bug.

FileVault encrypted a user's home folder and left the rest of the system unencrypted. With Lion, Apple replaced FileVault with a full-disk encryption system called "FileVault 2."

For compatibility, Apple still supports legacy FileVault. If, however, a user were to enable a new FileVault setup, that will require the use of FileVault 2, and therefore still be safe. Those who purchased a new system with Lion installed are also therefore immune.

To determine if you are affected by the bug, login to your account, and go to the "Security & Privacy" system preferences. If you are using FileValut, you'll see a warning message that says "You're using an old version of FileVault."

To determine if other users on your system are using the will FileVault, you can go to the Macintosh HD > Users directory and examine home folders for accounts other than your own; any that appear as disk image files (as opposed to folders) are accounts on the system that are using the legacy FileVault technology.

For any accounts are using the legacy FileVault, log in and access the Security system preferences, and click the option to disable FileVault. If you wish, you can then re-enable FileVault, thus turning on the new FileVault 2 feature.

Finally, once you've done all this, what else do you think you should do? That's right, you should change your password.

If you want to be absolutely safe, you can clear out all of the system logs. To do so, open the Terminal utility (in the /Applications/Utilities/ folder) and run the following two commands:

sudo rm -rf /var/log/*
sudo rm -rf /Library/Logs/*

Actually, if you turned on FileVault 2, and you are the only admin on your system, it's not really necessary to do the last two steps above, as any files, including log files that store passwords as clear text, will be encrypted.

As noted above, Apple has not yet patched the issue. With all this publicity, they probably will, soon. However, if you take the steps listed above, you'll be safe anyway.

No comments: