April was not a good month for Apple as Flashback infected over half a million OS X machines followed by a new Mac-specific Java vulnerability called SabPub a little later. Kaspersky Labs even stirred up user emotions after commenting that Apple’s security is “10 years behind Microsoft.”
Unfortunately for Apple, the hits keep on coming in May as security researcher David Emery has uncovered a setting within Lion 10.7.3 that tells the operating system to store user passwords in cleartext. It appears that a developer turned on a debugging flag to store this data, but forgot to turn it off before submitting the code for the OS update.
According to the article, a machine is vulnerable if it was using FileVault encryption prior to Lion then later upgraded to Lion. The vulnerability does not extend to FileVault 2.
While many may say that the risks are low since only users in the administrator group can access the file, this isn’t entirely true. The article explains another risky proposition, especially for enterprises that rely on encrypting sensitive data on portable laptops.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.
Even more interestingly is that this issue was apparently discovered back in February, right after the 10.7.3 upgrade. A user by the name of tarwinator posted this issue on Apple's support forums but nobody from the company even made a comment on the post.
Apple desktops are gaining market share and, as predicted, this means there will be more people looking to exploit the system for personal gain. So much for Apple’s security being leaps and bounds better than Microsoft.
UPDATE: After the story broke, the thread on Apple's site started to receive some traction. The most interesting post is from the original poster who notes that the bug may not have anything to do with FileVault or the upgrade process of Lion afterall.
I've just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.
Image Courtesy of Apple's Support forum