This isn't shaping up to be a great year for Mac security. On the heels of last month's Flashback trojan pandemic, reports indicate that the latest OS X Lion update uncovers user passwords to prying eyes, too.
As ZDNet reports, OS X 10.7.3 spits out a debug log file containing "the login passwords of every user who has logged in since the update was applied." The file isn't generated on all configurations. However, "anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault" could be affected. ZDNet quotes security researcher David Emery, who says the log files can be accessed by third parties in a variety of ways:
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
The worst part? OS X 10.7.3 came out on February 1, and someone pointed out the bug less than a week later on Apple's own Supper Communities message board. The only replies were posted yesterday, after his post was linked in the ZDNet story.
This is disappointing. Apple is bigger and more powerful than ever, and its Macs are gaining market share fast, yet it seems OS X's security is lagging behind. I hope the Mac maker locks down its operating system better than it has, and fast.
|1. BIF - $340||2. chasp_0 - $251||3. mbutrovich - $250|
|4. Ryu Connor - $250||5. YetAnotherGeek2 - $200||6. aeassa - $175|
|7. dashbarron - $150||8. Captain Ned - $100||9. Anonymous Gerbil - $100|
|10. Bill Door - $100|
|Samsung's Portable SSD T3 reviewed||7|
|TR BBQ Day Shortbread||10|
|Watch the "second-10th" TR BBQ live in 360 degrees right now||8|
|G.Skill hooks up the TR BBQ with some giveaway goodies||10|
|We threw a Minecraft party to test Samsung's Gear VR headset||9|
|Deals of the week: cheap solid-state storage and more||17|
|Sapphire Nitro+ Radeon RX 480 hot-rods Polaris 10||59|
|AMD gets back in the black with its second-quarter financials||41|
|Nvidia unveils a Pascal-powered Titan X with 11 TFLOPS on tap||174|
|I'll...just review the thin air on my desk where a GTX 1060 would fit, since that's what we have.||+115|