If there’s one challenge that Apple seems to be having trouble getting to grips with lately, it’s security for Mac OS X. Recently the operating system was plagued by the Flashback malware, affecting hundreds of thousands of users, and now an update to Lion has left login passwords exposed in plain text files. The issue comes via a Lion software update back in February.
The issue affects anyone using the legacy version of FileVault who then upgraded to Mac OS X Lion 10.7.3. Folders are left encrypted, but a debug log file has been enabled that resides outside of the encrypted area, revealing passwords for anyone who has logged in since the update was applied. Anyone using the hard drive in target disk mode or booting into the recovery partition can potentially gain access to the debug file.
It’s a big security issue for those still using the original version of FileVault. If an employee loses work machine with the encrypted files, an attacker could potentially gain access if they know the exploit. Hackers could also create custom malware to specifically target this issue. Having said that, FileVault 2 is not affected by this issue, since it provides full disk encryption.
There is a glimmer of good news in all of this: the log file is also stored for a couple of weeks, so even though the update goes back to February, there won’t be three months worth of information waiting to be stolen. Still, it’s a huge issue, and Apple hasn’t commented on the issue yet. There doesn't seem to be any way around the issue right now either.