Apple error leaves security hole

Fresh on the heels of the recent malware attack that tarnished Apple's security record, experts have found another flaw in Apple's latest Mac OS X 10.7.3 Lion security update, that exposes users' passwords in clear text.

The flaw was disclosed by David Emery in a post on an encryption mailing list on Friday. It is said there appears to be a dangerous programming error that reveals passwords for content stored in FileVault (Apple's encryption technology).

Senior security advisor at Sophos, Chester Wisniewski, says it would seem a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

“Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents,” says Wisniewski. “This could occur through theft, physical access, or a piece of malware that knows where to look.”

Emery says those at risk include users of the legacy (pre Lion) FileVault home directories, who have logged in since the 10.7.3 upgrade in February. It does not impact FileVault 2 users who have Apple's full encryption turned on.

Emery's post explains: “This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Wisniewski says the best course of action is to implement Apple's FileVault 2 or a similar full disk encryption solution. “Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.”

According to Wisniewski, how products store, manage and secure keys and passwords is the most common failure point when it comes to data protection.

“This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn't mean anything if it chooses to store your password in an accessible log file.”

“Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems,” says Wisniewski.

Following the recent Flashback attack on Apple, CEO and co-founder of Kaspersky Lab, Eugene Kaspersky, was widely quoted as saying “Apple is 10 years behind Microsoft in terms of security”.

Apple was dragged over the coals for its slow response to the security flaw in the Java Web platform that was exploited by the Flashback virus.

Kaspersky said at the time that cyber criminals would no doubt progress to create more and more malware targeted at the Mac in the future, seeing Apple face the same problems as Microsoft did a decade ago.

“Apple will have to make changes in terms of the cycle of updates and so on, and will be forced to invest more in their security audits for the software,” said Kaspersky.

Apple is yet to formally respond to the news of the latest security flaw.