Gadgets Portal
 
SPONSORED BY
Sign up for the weekly gadgets newsletter and get all the news and reviews delivered straight to your inbox.
VIRTUAL PRESS OFFICESTM
(011) 807 3294   itnews@itweb.co.za | Advertise on ITWeb   Mon, 22 Dec, 06:59:01 AM

Apple error leaves security hole

Security experts say the programming error potentially renders encryption pointless and permits access to potentially sensitive documents.

Fresh on the heels of the recent malware attack that tarnished Apple's security record, experts have found another flaw in Apple's latest Mac OS X 10.7.3 Lion security update, that exposes users' passwords in clear text.

The flaw was disclosed by David Emery in a post on an encryption mailing list on Friday. It is said there appears to be a dangerous programming error that reveals passwords for content stored in FileVault (Apple's encryption technology).

Senior security advisor at Sophos, Chester Wisniewski, says it would seem a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

“Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents,” says Wisniewski. “This could occur through theft, physical access, or a piece of malware that knows where to look.”

Emery says those at risk include users of the legacy (pre Lion) FileVault home directories, who have logged in since the 10.7.3 upgrade in February. It does not impact FileVault 2 users who have Apple's full encryption turned on.

Emery's post explains: “This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”

Wisniewski says the best course of action is to implement Apple's FileVault 2 or a similar full disk encryption solution. “Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.”

Security catch up

According to Wisniewski, how products store, manage and secure keys and passwords is the most common failure point when it comes to data protection.

“This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn't mean anything if it chooses to store your password in an accessible log file.”

“Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems,” says Wisniewski.

Following the recent Flashback attack on Apple, CEO and co-founder of Kaspersky Lab, Eugene Kaspersky, was widely quoted as saying “Apple is 10 years behind Microsoft in terms of security”.

Apple was dragged over the coals for its slow response to the security flaw in the Java Web platform that was exploited by the Flashback virus.

Kaspersky said at the time that cyber criminals would no doubt progress to create more and more malware targeted at the Mac in the future, seeing Apple face the same problems as Microsoft did a decade ago.

“Apple will have to make changes in terms of the cycle of updates and so on, and will be forced to invest more in their security audits for the software,” said Kaspersky.

Apple is yet to formally respond to the news of the latest security flaw.


Our comments policy does not allow anonymous postings. Read the policy here



 
 

 

 



 



So, you think you can dance?
Staff at the Autonomous Systems Lab, part of the Swiss Federal Institute of Technology in Zurich, programmed robots, drones, and even a few Roombas to dance in holiday clothing.

Copyright (c) 1996 - 2014 ITWeb Limited. All rights reserved.
Would you like to see your news here? Contact us for more details at itnews@itweb.co.za

Striata Rackspace Sophos
 
 
  Newsletters

Our free daily and weekly newsletters offer the latest IT and telecommunications news, information and commentary.
  IT Directory

Our annual online ICT Directory. Click here
  Brainstorm

ITWeb Brainstorm is a monthly magazine for decision-makers and other intelligent people. Brainstorm offers content on burning business issues that is fresh, controversial, independent and valuable.
 
Follow ITWeb
 
careerWeb iFashion myDigitalLife defenceWeb Copyright (c) 1996 - 2014 ITWeb Limited. All rights reserved.