OS X has long been regarded by Apple as the pinnacle of safe computing, while consumers have also been under the impression that by using a Mac, you’re almost certainly protected from the bugs, malware and security leaks plaguing PC users.
To a degree, Apple’s ecosystem is a safer bet than Windows, and its track record for keeping users safe is far superior to those running Redmond-based Microsoft’s operating system, the last couple of months haven’t been great from a PR point of view. Having just put the well-documented Flashback outbreak behind it, it has emerged that the latest Lion update has accidentally activated a debug log file, which in turn exposes a user’s password in plain text.
The story comes courtesy of ZDNet, which reports an Apple programmer must have mistakenly left a debug flag in the very latest version of Mac OS X, numbered at 10.7.3. Upon applying the update, a system-wide debug log file is then left lingering, and contains the login passwords of every single user who has logged in post-update, in plain text.
The cue for widespread panic should be put on hold, however, since the security flaw, discovered by security researcher David Emery, apparently only applies to those having used FileVault before upgrading to OS X Lion and opted not to invest in FileVault 2.
Speaking of the find, Emery noted that those meeting the criteria for potential exposure to the problem should be vigilant in rectifying the issue, because since there are numerous ways the log can be read, including booting the machine into firewire disk mode and reading its contents by opening as a disk.
It could also be accessed by booting the recovery partition, and utilizing the available superuser shell in order to mount the main file system partition and subsequently read the file. This would make it easy for an unscrupulous individual to break into encrypted partitions on machines they would otherwise have no login or password credentials of.
OS X 10.7.3 dropped all the way back on February 1st, and despite being reported swiftly by members of the Support Communities, has yet to be rectified.
It’s a shame that Apple hasn’t deemed it important enough to drop a minor update through, but hopefully, a little more negative press will kick the Cupertino company into some sort of urgency.