A recent update to Apple’s Mac OS X introduced a security flaw, according to a report on Cryptome. The relevant update appears to be v.10.7.3. In certain situations it’s possible to expose the user’s password to login to the computer or decrypt secured FileVault documents.
The issue does not seem to be widespread due to the very specific scenario where the vulnerability occurs. However, Apple has been under increasing scrutiny to get its act together on security matters ever since the Flashback malware managed to spread to hundreds of thousands of Macs over the last few months. It took several weeks for Apple to resolve that particular threat.
The password problem is said to affect users who encrypted files using the Apple FileVault system prior to installing Mac OS 10.7 (Lion) on their computer but who carried on using the older version of FileVault rather than updating to FileVault 2.
For those who then upgraded to the 10.7.3 update, the system creates a “debug log file”, which (probably inadvertently) includes the passwords for every user who has a login for the computer. This log file is stored in a non-encrypted part of the system and in plain text. The log file retains login information from the point that the 10.7.3 update was installed, which in some people’s case could be as long as three months.
A report on ZDNet (linked below) goes into plenty more detail on the subject. To recap, the risk would be to anyone who uses the old version of FileVault but has otherwise kept their OS up to date. Obviously if you don’t share your computer with anyone else, then the problem is much smaller, and if you don’t have any overly sensitive data in FileVault there’s less to worry about.
A portable computer such as a MacBook, however, could theoretically be compromised, as it’s easier for someone to gain physical access to the machine, boot it as a Firewire drive by linking to another Mac and copy the log file containing the passwords. It is possible to set a firmware password to add a level of protection at this point, but the recommended fix, until Apple issues a patch itself, is to use FileVault 2 and to find and securely delete the relevant log files and any back-ups, such as those held in Time Machine.