Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

FileVault security hole discovered in OS X Lion 10.7.3

Apple's legacy FileVault Mac encryption system in OS X 10.7.3 has a security flaw that could allow malicious users to access stored passwords.

The flaw was detailed late last week in a post by David I. Emery on the Crytome mailing list (via Suddeutsche.de). The issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.

"Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012," Emery explained.

The log-in data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.

Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.

Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.

"Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model — not uncommon in families — where different users of a particular machine are isolated from each other and cannot access each others' files or login as each other with some degree of assurance of security," Emery wrote.

The bug was introduced with Apple's OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.



10 Comments

fabiopigi 19 Years · 18 comments

Actually, the security flaw is known since Februray 6th, so over 3 month!

https://discussions.apple.com/thread/3715366

🎅
esummers 15 Years · 952 comments

This is legacy software.  You can't even turn it on anymore.  It requires an upgrade from a previous OS that had it enabled.  It was rarely used prior to it being replaced by FileVault 2 due to its many technical limitations.  Any serious enterprise user used one of the third party alternatives prior to FileVault 2 being released.  This basically doesn't affect anyone.

 

This has been known about for three months and has been a non-issue that whole time.

🌟
myapplelove 15 Years · 1498 comments

you 'd think they 'd spend a bit more time addressing it, if they can't be more attentive for it not to be there to begin with... Such sloppy work these days for os x...

❄️
ddawson100 16 Years · 537 comments

The fact that it's not a common scenario doesn't minimize its severity or eliminate the need for this to be addressed. There are people in work environments who share computers. There is malware that doesn't even need physical access. If this was another OS I'm sure there would be a lot more uproar on this site.

🍪
jragosta 17 Years · 10472 comments

[quote name="ddawson100" url="/t/149912/filevault-security-hole-discovered-in-os-x-lion-10-7-3#post_2106298"]The fact that it's not a common scenario doesn't minimize its severity or eliminate the need for this to be addressed. There are people in work environments who share computers. There is malware that doesn't even need physical access. If this was another OS I'm sure there would be a lot more uproar on this site. [/quote] No one said it didn't need to be fixed. But uproar if it were a different OS? Nonsense. Windows has plenty of security flaws that don't require physical access. This one does require physical access to the computer - at least close enough to connect a Firewire cable. And if you give someone physical access to your computer, all security bets are off.