http://news.cnet.com/8301-1009_3-57428748-83/mac-os-x-login-passwords-put-at-risk/ By Jonathan E. Skillings Security & Privacy CNET News May 6, 2012 Last update: 1:20 p.m. PT Users of the Lion version of Mac OS X will probably want to update their log-in passwords. Security researcher David Emery warns of a new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He writes: Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault"). The log in question is kept by default for several weeks... Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012. [...] _______________________________________________ LayerOne Security Conference May 26-27, Clarion Hotel, Anaheim, CA http://www.layerone.orgReceived on Mon May 07 2012 - 01:46:09 PDT
This archive was generated by hypermail 2.2.0 : Mon May 07 2012 - 01:43:34 PDT