Debug Log File Exposes OSX Passwords
As reported on http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963 there is a flaw in the most recent Lion update (10.7.3) that can expose passwords via a debug file. It isn't as bad as it originally sounds, though, as very specific circumstances must be met for this to occur.
First, you must have been using FileVault before OSX Lion (10.7) and then upgraded to Lion but kept your folders encrypted using the older version of FileVault; 10.7's FileVault 2 is not affected. This does pose quite a risk if you do meet these circumstances as anyone could boot into target disk mode or the recovery partition that comes with 10.7.
In addition, there does exist the possibility for specifically crafted malware that could look for said file and try to exploit it. Yet another reason why I always tell people that it is best to do a fresh install when moving to any new OS. Whenever you upgrade there are just some things that get left behind and that can come back to bite you.
First, you must have been using FileVault before OSX Lion (10.7) and then upgraded to Lion but kept your folders encrypted using the older version of FileVault; 10.7's FileVault 2 is not affected. This does pose quite a risk if you do meet these circumstances as anyone could boot into target disk mode or the recovery partition that comes with 10.7.
In addition, there does exist the possibility for specifically crafted malware that could look for said file and try to exploit it. Yet another reason why I always tell people that it is best to do a fresh install when moving to any new OS. Whenever you upgrade there are just some things that get left behind and that can come back to bite you.
Comments