Lion 10.7.3 has "clear text" file with login password

[gunug]

Apparently there is a bug in Lion 10.7.3 update that allows an unencrypted log file to be placed in a location so passwords can be easily compromised:

QUOTE

Since the log file is accessible outside of the encrypted area, anyone with administrator or root access can grab the user credentials for an encrypted home directory tree. They can also access the files by connecting the drive via FireWire. Having done that, they can then not only read the encrypted files that are meant to be hidden from prying eyes, but they can also access anything else meant to be protected by that user name and password.

This leak of credentials could be catastrophic for businesses that have relied on the FileVault feature in Macs for years. FileVault is intended to protect sensitive information stored by providing an encrypted user home directory contained in an encrypted file system mounted on top of the user’s home directory. If an employee has their Mac stolen, however, anything they encrypted, as well as anything that requires those credentials, can be accessed without hindrance if the vulnerable configuration is in place.

http://www.zdnet.com/blog/security/apple-s...lear-text/11963

[Xairbusdriver]

I have no problem complaining about Apple's lack of Quality Control not catching the human error with the Debug Flag setting. But I don't understand the following"

QUOTE

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable.

How is it possible to upgrade the OS without also upgrading FileVault?

[gunug]

I'm working through Pogue's Missing Manual for Lion to see if I can figure out what they're talking about; no joy yet!

[tacit]

QUOTE(Xairbusdriver @ May 7 2012, 03:34 PM) <{POST_SNAPBACK}>

I have no problem complaining about Apple's lack of Quality Control not catching the human error with the Debug Flag setting. But I don't understand the following"

QUOTE

Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable.

How is it possible to upgrade the OS without also upgrading FileVault?

Starting in Lion, FileVault works in an entirely different way. However, if you have a system that's not running Lion and you have FileVault turned on, when you upgrade to Lion, it will use the old-style FileVault (that is, it won't change the FileVault encryption to the new Lion FileVault2 system).

The reason is that the original FileVault only encrypts the home folder, whereas FileVault2 is full-disk encryption. Lion doesn't want to make the assumption that you want to encrypt everything (what if you have multiple users?), so it won't switch over to full-disk encryption without your explicit permission. On the other hand, it doesn't want to disable encryption without your explicit permission either, so when you upgrade to Lion it keeps the old-style FileVault just as it was.

[Xairbusdriver]

Catch-22. Thanks for the explanation, tacit. I've never trusted FileVault since its easy problems years ago, so I've not used it at all.

[gunug]

MAC OS 10.7.4 Update is out:

http://support.apple.com/kb/HT5167?locale=en_US

Seems to fix a lot of stuff but didn't see anything about the "Clear Text" problem!

[Xairbusdriver]

It may be listed <on this page>.

[Paddy]

QUOTE(Xairbusdriver @ May 10 2012, 03:43 PM) <{POST_SNAPBACK}>

It may be listed <on this page>.

Yup...they fixed it. First thing on the list (a surprisingly long list, actually - but good to know that whatever some of those weird things are, they're fixing them!)

QUOTE

Login Window

Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: Remote admins and persons with physical access to the system may obtain account information

Description: An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.

[Xairbusdriver]

Couple of threads about BlueTooth problems after making this update. One was fixed by the highly technical "Restart-and-see-what-happens" method. I did a note thanking the posters for doing the beta testing on the update for the rest of us, however.

OS Update Procedures:

1. Repair any problems on your machine, no matter how minor. (Repair Permissions/Disk, run third-party repair/testing apps)
2. Make a fresh backup of anything important.
3. Check/boot from that backup.
4. Wait at least a week.
5. Do another full backup. It's good practice!
6. Check forums for update problems.
A. If problems found, wait two more weeks.
B. If no problems found, make another backup and wait another week.
7. Have your worst friend do the update and see how it goes.
8. Recheck Mac forums.
A. If new threads or no solid fixes, wait another month.
B. If no new threads, make another backup and test it.
9. Make a fresh backup and test it.
10. Check for new posts about the update.
A. If new posts/threads found, forget about the update.
B. If no new posts/threads found, bookmark all know problem fixes. Make the update!
11. Take your significant other to a fine-dining establishment (of their choice!) to celebrate!