Advertisements

Apple Update Makes Lion Login Passwords In Clear Text

filevaulticon4712

The latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the user’s password in clear text.  An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X Lion.  In a specific configurations applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords in clear text of every user who has logged in since the update was applied.  Anyone who used FileVault encryption on their Mac prior to upgraded to Lion but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 will full disk encryption is unaffected by the security flaw.  The Mac OSX patch10.7.3 was released on February 1, 2012.  The good news is that log file are only kept by default for several weeks.  Meaning that users do not have months of unencrypted passwords sitting on there PC.  Apple needs to fix this issue ASAP.  When a patch is released people need to ensure the log file has been deleted and your password has been changed.  I hope Apple takes care of this VERY SOON!

Advertisements
%d bloggers like this: