bit-tech.net

Apple goof opens FileVault hole in OS X

Apple goof opens FileVault hole in OS X

Apple's FileVault has been found to have a rather serious flaw, following a botched updated released by the company in February.

Apple has once again found itself in the glare of the security spotlight following a flawed update which stores passwords for its FileVault encryption system in plain text.

A software update to the OS X Lion operating system back in February appears to be to blame, modifying the way the FileVault system operates. Given that FileVault exists to protect privacy by encrypting selected files with a powerful AES-based cipher, it's just a little embarrassing for the company.

According to security researcher David Emery, who discovered the flaw, an attacker with physical access to the target system can boot the system into FireWire disk mode to bypass the log-in screen, mount the system partition, and then read the file containing the plain-text passwords. Armed with these passwords, the attacker can then decrypt the FileVault-protected data.

'Having the password logged in the clear in an admin readable file completely breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,' Emery warns. Worse, there is evidence that the password file is included in Time Capsule backups.

The flaw appears to stem from the use of a debug switch enabled - for reasons which are not readily apparent - as part of the OS X Lion 10.7.3 update released back in February. In mitigation, Emery admits that the flaw appears to only affect users who created FileVault home directories under versions of OS X prior to Lion and then subsequently upgraded; FileVault 2 with legacy mode disabled does not appear susceptible to the flaw.

This goof is the latest in a string of public attacks on Apple's reputation for security in recent months, following the discovery of a drive-by downloader for OS X which turned more than 550,000 machines into clients of a 'botnet' without user intervention by exploiting a security flaw in Apple's software.

With Apple fans often claiming that the company's systems are somehow less vulnerable to attack than those from long-time rival Microsoft, perhaps it's time to take the company's advice and consider installing third-party security software/

19 Comments

Discuss in the forums Reply
schmidtbag 7th May 2012, 19:36 Quote
"With Apple fans often claiming that the company's systems are somehow less vulnerable to attack than those from long-time rival Microsoft"

That's where apple users don't know the difference between malware vulnerability and hacking vulnerability. All unix based and unix-like systems are naturally resistant to malware, whereas WIndows is naturally insecure about infections. But, hacking is a separate story.

However, hacking is so different that it isn't (or shouldn't be) entirely the OS's obligation to protect against such a thing. When someone attempts to hack into your stuff, you've either pissed someone off or you made others aware of who you are and what you have. That being said, its kind of the user's fault if anything breaches a computer via non-malware methods. In the situation of users getting their things hacked when relying on Apple's FileVault, well that is also Apple's fault because they made an unreliable product.
Snips 7th May 2012, 21:33 Quote
Oops! I'm sure they will have it fixed sooner or later. If you are using Apple OSX then try downloading Microsoft Security Essentials :)
Andy Mc 7th May 2012, 21:35 Quote
Wonder how long it will take them to pull their finger out and patch this?

I call 6 months.
Cei 8th May 2012, 00:08 Quote
Interesting. When will Bit-Tech start posting news articles on every Windows flaw?
AmEv 8th May 2012, 00:39 Quote
Quote:
Originally Posted by Cei
Interesting. When will Bit-Tech start posting news articles on every Windows flaw?

Funny.

Seriously though, it isn't that Windows is/isn't flawed, it's that most of the users that we hear about claim that OS(X) is immune from inoperability. As in, there is 0 malware for it.

Another thread.
Andy Mc 8th May 2012, 02:35 Quote
Quote:
Originally Posted by Cei
Interesting. When will Bit-Tech start posting news articles on every Windows flaw?

I think the issue here is more about Apples approach to security patching, they are just terrible at it.

MS will patch issues quite quickly whereas Apple will drag their feet and still insist on telling their users that they do not need to use any form of AV software on their Mac.

This issue was first seen 3 months ago! Theres more on it here: http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963
fluxtatic 8th May 2012, 07:15 Quote
This just in from my local Genius (tm) - "Whatever are you talking about? There's no problem, no vulnerability here. Just as the Great Steve (tm) decreed, 'OS X is invulnerable to any sort of problems at all. It's no more vulnerable to hacking or viruses than your toaster.' So, you see? Nothing to see here. Want to buy a new shiny to give your life meaning?"

There you have it, folks. Every tech site on the planet is just dead wrong about this.
modfx 8th May 2012, 07:18 Quote
A massive scale attack on apple would be most amusing. A few people I know are the "head in the sand lalallalalala Apple cant get viruses and are the most awesome creation known to man. Why? It's Apple, you don't ask why, they just are." types and it would be funny to see their beloved Mac crumble.

By no means is this aimed at Mac users in general. Fanboys of any description irritate me.
Gareth Halfacree 8th May 2012, 08:00 Quote
Quote:
Originally Posted by Cei
Interesting. When will Bit-Tech start posting news articles on every Windows flaw?
Like this one? How about this one? This one? Perhaps this one? This one? This little round-up? This one? This one? This one? This one in Sharepoint?

If a vulnerability is news-worthy, it gets mentioned - regardless of platform. We don't cover every Windows vulnerability - partly because there's too many of 'em, and partly 'cos we're not a security-focused site - but we try to cover the highlights.

And, I think you'll agree once the Apple-provided scales have fallen from your eyes, storing the passwords for encryption software on the disk in plain-text is definitely a highlight. If Microsoft had done the same, you'd better believe we'd have reported it.
FelixTech 8th May 2012, 09:36 Quote
I'm fairly sure you can bypass Wndows login screens over firewire unless there are non-default settings for the port. However, OSX is the only operating system stupid enough to let you read any bypassed passwords in plain text! It's quite easy to do really! :O
Cei 8th May 2012, 12:22 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Cei
Interesting. When will Bit-Tech start posting news articles on every Windows flaw?
Like this one? How about this one? This one? Perhaps this one? This one? This little round-up? This one? This one? This one? This one in Sharepoint?

If a vulnerability is news-worthy, it gets mentioned - regardless of platform. We don't cover every Windows vulnerability - partly because there's too many of 'em, and partly 'cos we're not a security-focused site - but we try to cover the highlights.

And, I think you'll agree once the Apple-provided scales have fallen from your eyes, storing the passwords for encryption software on the disk in plain-text is definitely a highlight. If Microsoft had done the same, you'd better believe we'd have reported it.

Oh don't get me wrong Gareth, this is a flaw in OS X, and a ridiculous one at that - particularly for any owners that have upgraded from previous OS X versions whilst using FileVault. Yet the fact that you need physical access to the machine begins to turn this in to something that its more academic than a threat to the average internet user.

Your list of links, though pretty, all seem to date from 20120 (apart from a single one in Jan 2011 and a single 2012 article). We've then had a whole spate of Apple ones in recent times, and no comment on what happens to Windows.

I guess my point is that, as you say, B-T isn't a security website, and so any article you do post is going to have to be of above average interest to the readers. So why post Apple-related ones, on a security flaw requiring physical access, when basically ignoring what goes on with Windows since 2010?
Gareth Halfacree 8th May 2012, 12:42 Quote
Quote:
Originally Posted by Cei
Yet the fact that you need physical access to the machine begins to turn this in to something that its more academic than a threat to the average internet user.
Combine it with the drive-by downloader which gains administrative access to OS X without the user's knowledge, and you have a way to remotely harvest passwords for FileVault partitions. Considering that the whole point of FileVault is to protect your privacy in the event of local or remote intrusion, I'd say that's a serious threat indeed.
Quote:
Originally Posted by Cei
I guess my point is that, as you say, B-T isn't a security website, and so any article you do post is going to have to be of above average interest to the readers. So why post Apple-related ones, on a security flaw requiring physical access, when basically ignoring what goes on with Windows since 2010?

Ignoring what goes on with Windows since 2010? Whatever you're smoking, I'll have some.

I stopped writing for bit-tech a while back, then started again when Simon took over. If you're wondering why there weren't so many stories in 2011 as in 2010 - I wasn't here to write them!

As for the 'whole spate' of Apple security articles, I count a massive two in 2012: this article, and one about the first drive-by downloader for OS X in the wild. Both, I would say, are very much newsworthy and deserve to appear on bit-tech.

In the same space of time - i.e. since 1st January 2012 - there have also been two stories about the Microsoft Windows RDP vulnerability and one about Google's cash-for-vulns programme.

I would say an equal number of articles about vulnerabilities in Windows as about vulnerabilities in OS X is fair, wouldn't you?

As for 'ignoring' Windows vulnerabilities, it's quite simple: a new drive-by downloader for Windows isn't news. There are hundreds of them. The majority aren't very successful. The world's first drive-by downloader for OS X, which has a confirmed list of victims 550,000-long? That's news. If it were the first drive-by downloader for Windows, I'd have written about it too.

The biggest security SNAFU of the year from Microsoft was the RDP vulnerability, which got two stories. The biggest SNAFUs from Apple were the drive-by downloader - which at half a milion victims on an OS the company has claimed is immune to viruses, is big news - and the FileVault bug.

You want me to write more about Windows vulnerabilities than Apple vulnerabilities? Go find some interesting vulnerabilities in Windows, and I'll write about 'em. It's really as simple as that.
cookie! nom nom 8th May 2012, 12:50 Quote
meh, mistakes happen..... it not like people priviet info can be used/seen
schmidtbag 8th May 2012, 15:05 Quote
Quote:
Originally Posted by cookie! nom nom
meh, mistakes happen..... it not like people priviet info can be used/seen

that's true, but there's a difference between making a mistake and then just being ignorant about something. anyone who knows anything about computers knows that an easily accessible text file is not something you store data that should otherwise be hidden/encrypted.
Paulg1971 8th May 2012, 18:32 Quote
Another thing to consider is that most pc users have some form of security on their machines where as apple users still have their heads up their arses and have no security so highlighting problems for apple makes good sense(and gives pc users a good laugh)
lamboman 8th May 2012, 19:33 Quote
Quote:
Originally Posted by Paulg1971
Another thing to consider is that most pc users have some form of security on their machines where as apple users still have their heads up their arses and have no security so highlighting problems for apple makes good sense(and gives pc users a good laugh)

A vague statement to make. What do you mean by "security"? What form of security specifically?

Either way, if your statement were true, there wouldn't be such a ridiculous amount of infected Windows systems.

Furthermore, Windows users have nothing to laugh at. There are still quite a few more threats for Windows PCs, to say the least. Not because Windows is a more insecure platform, merely because there are more users. At the same time, Mac users who claim that their systems are invincible to every threat known to man need to be lined up and shot, frankly.

All operating systems have vulnerabilities. No point in arguing that one platform is more secure than the other, because there will always be more vulnerabilities found for any platform.

Finally, a huge proportion of security issues are caused by the user. Stick up a firewall, have some decent anti-malware protection, and most importantly, use some common sense.

I am by no means a security expert. Quite frankly, anybody could say what I've just said.

EDIT: I should also add that I would agree that Apple can be slow to issue updates, not just for security issues but for other problems too (take the 2011 iMac's Wi-Fi issues that weren't fixed for 6 months). If they're kicked about enough on the Internet, updates will be issued quicker. However, it shouldn't be like that. This FileVault issue is a "tad" silly...
Gareth Halfacree 10th May 2012, 08:59 Quote
Apple has now fixed the FileVault bug (along with a few other security holes) in OS X 10.7.4, plus another hole in Safari with 5.1.7. If you're a Mac user, it's time to update.
slothy89 11th May 2012, 07:51 Quote
I laugh at all this Windows vs Mac banter! Neither is superior to the other.

I own both, and know the weaknesses each possess. I cringe when I hear a salesman tell a naive customer that their shiny new iMac doesn't need Internet security, as the days of the secure mac are gone. With more and more clueless consumers buying macs, the concentration of Mac PCs is increasing, whilst the average IT knowledge of mac users dropping. This makes macs a more viable target for malware devs.

That said, I don't run any fancy security suite on my Windows or Mac PCs as one I don't want to pay, and two from my experience most infections are the result of opening spam emails or downloading fake torrents etc. in other words, lack of common sense. I have not had one issue with malware in the past 5 years of having my own private PC Internet connected.

Ultimately it is the lump of flesh that tells the shiny box what to do that is the main vulnerability on any system whether it's Windows, Mac, Linux or otherwise.

Good story!
lamboman 11th May 2012, 11:19 Quote
Quote:
Originally Posted by slothy89
*snip*

Couldn't agree more. That said, always worth having anti-virus software just to scan anything that does come in, just in case.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums