Sunday, May 6, 2012

Mac OS X login passwords put at risk

An apparent programming mistake in an update to the Apple operating system could expose passwords in clear text.
Users of the Lion version of Mac OS X will probably want to update their login passwords.
Security researcher David Emery warns of a significant new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He writes:
 Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").
The log in question is kept by default for several weeks...
Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012
As Emil Protalinski points out at CNET sister site ZDNet, echoing Emery, this vulnerability is not to be taken lightly:
 Anyone with administrator or root access can grab the user credentials for an encrypted home directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.
The breach could also affect Time Machine backups to external drives, Protalinski says.
And even after a patch becomes available, he writes, it could be hard to know for sure if the compromised log file has been expunged, meaning that an exposed password could still be discoverable -- adding to the urgency in changing the password.