Security researchers David Emerald (David Emery) recently discovered a security vulnerability exists in Apple’s Mac OS X Lion, 10.7.3 version of the system, the system records the user’s password in clear text.
The log file can be accessed outside the secure area, which means how anyone canhave administrator or root privileges to get the user’s password. In addition, can beconnected via FireWire hard drive to access the file can access the encrypted files.
For the loopholes, Emerald said: ”The vulnerability than the surface looks dangerous,because the problem log can be read under a variety of modes, including Firewire diskmode also allows some people invade the encryption area.”
Industry sources say that for the long-term business users rely on FileVault encryption feature, which undoubtedly was a disaster. Mac laptop is lost if the employees there will be encrypted confidential files, then these data would be easy to access.
In addition, the vulnerability will also affect the external hard disk to the Time Machinebackup feature. If the hard disk is stolen, have been irrelevant, because it requires a password to view. But the backup log file contains clear text passwords, means that thepassword has been long-term backup.
In addition, the vulnerability can also make the system from hackers. Attackers could exploit the vulnerability to write a specific program, tracking computer.
Mac OS X-10.7.3 released on February 1 this year, Emerald, the vulnerability is not yetfixed, but with a FileVault encryption (disk encryption), users are not affected.
Industry insiders say, the vulnerability to further highlights Apple’s quality assurance issues. Apple needs to fix the problem as soon as possible, even if the patch isreleased, Apple can not ensure that the log file is deleted. Therefore, even if the upgradepatch, it is best to have to change your password.