Apple has once again found itself in the glare of the security spotlight following a flawed update which stores passwords for its FileVault encryption system in plain text.
A software update to the OS X Lion operating system back in February appears to be to blame, modifying the way the FileVault system operates. Given that FileVault exists to protect privacy by encrypting selected files with a powerful AES-based cipher, it's just a little embarrassing for the company.
According to security researcher David Emery, who discovered the flaw, an attacker with physical access to the target system can boot the system into FireWire disk mode to bypass the log-in screen, mount the system partition, and then read the file containing the plain-text passwords. Armed with these passwords, the attacker can then decrypt the FileVault-protected data.
'Having the password logged in the clear in an admin readable file completely breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security,
' Emery warns. Worse, there is evidence that the password file is included in Time Capsule backups.
The flaw appears to stem from the use of a debug switch enabled - for reasons which are not readily apparent - as part of the OS X Lion 10.7.3 update released back in February. In mitigation, Emery admits that the flaw appears to only affect users who created FileVault home directories under versions of OS X prior to Lion and then subsequently upgraded; FileVault 2 with legacy mode disabled does not appear susceptible to the flaw.
This goof is the latest in a string of public attacks on Apple's reputation for security in recent months, following the discovery of a drive-by downloader for OS X
which turned more than 550,000 machines into clients of a 'botnet' without user intervention by exploiting a security flaw in Apple's software.
With Apple fans often claiming that the company's systems are somehow less vulnerable to attack than those from long-time rival Microsoft, perhaps it's time to take the company's advice and consider installing third-party security software