Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3
ZDNet reports on the discovery of a significant breach of password security for certain users of Apple's FileVault encryption system under OS X Lion. Affected systems currently store the login information for every recent user of the machine in plain text, allowing for easy circumvention of encryption.In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.The issue was noted last Friday by David Emery on the Cryptome mailing list.
Anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault is vulnerable. FileVault 2 (whole disk encryption) is unaffected.
This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.Emery also offers some suggestions for dealing with the issue, including turning on FileVault 2 and setting a firmware password on the machine in question.
The issue was actually first noted in the Apple discussion forums back on February 6, just days after OS X 10.7.3 was released to the public. That poster now notes that the issue may extend further than just the specific FileVault situation outlines by others, as he notes that he has experienced the same behavior on an OS X Lion virtual machine through VMware Fusion, without FileVault ever having been active on the installation. Consequently, the extent of the issue may not yet be fully known.
Apple has yet to offer any response to the issue, although it is unclear when the company became aware of it. Apple touts the security features of OS X Lion in its promotional materials for the operating system, with a focus on FileVault as an important component of that security, and it seems likely that the company will move as quickly as possible to investigate and fix the issue.
[ 30 comments ]
Top Rated Comments
(View all)
94 months ago
What's the difference between FileVault and FileVault 2? I use 2, but are there any reasons someone would be unable to upgrade from the original to the new version?
If not, this seems like a non-issue.
This is not a non-issue. Don't be an apologist. There are legitimate reasons to use FileVault v1 over v2. v1 encrypts your home directory while v2 encrypts the whole filesystem. If you have untrusted users on the same computer (say shared with a family) v2 will give other users full access to your files while v1 will encrypt on a per home directory basis and another user will be unable to see your files.
Even if there were no legitimate reason to use v1 over v2 that is still no excuse. This is a serious oversight with serious consequences. Now these kind of things happen and the fact that it happened is not an insult to Apple. However, there is no excuse for it going unpatched for this long. There should have been a patch immediately after it was discovered. There is no excuse for that.
94 months ago
I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?
I just feel like I'm seeing more stories like this these days than I did in past years.
I just feel like I'm seeing more stories like this these days than I did in past years.
94 months ago
This is one reason why I wish Apple would start hiring more engineers instead of shuffling them back and forth between iOS and OS X departments as they have since before the first iPhone launch in 2006 (Leopard was delayed twice to an October '06 release as engineers from OS X were shifted to iOS).
It's been stated Jobs hated hiring more, and kept a tight knit group of engineers. Perhaps more would help alleviate/diminish the odds of such programming flaws. Who knows. Either way, I'm sure it wouldn't hurt.
Agree. From what I gather, engineers are strained, being spread across iOS OS X departments. In part to unify the group but also in keeping with Jobs' desire for a small engineering base. It seems to be negatively effecting some aspects to their OS's.
It's been stated Jobs hated hiring more, and kept a tight knit group of engineers. Perhaps more would help alleviate/diminish the odds of such programming flaws. Who knows. Either way, I'm sure it wouldn't hurt.
I'm actually one of those people who like the user-features added to Lion, but doesn't it seem like the behind-the-scenes stuff in Lion is the sloppiest work in ANY version of the Mac OS?
I just feel like I'm seeing more stories like this these days than I did in past years.
Agree. From what I gather, engineers are strained, being spread across iOS OS X departments. In part to unify the group but also in keeping with Jobs' desire for a small engineering base. It seems to be negatively effecting some aspects to their OS's.
94 months ago
First the Java exploit (not strictly Apple's fault, as the actual security flaw was Java's... but they didn't patch it quickly enough). Now this, around three weeks on. Not been a great month for Apple, security-wise!
Ironically, upgrading to Lion saved you from the Java exploit, but it also put you in danger of this :p
Ironically, upgrading to Lion saved you from the Java exploit, but it also put you in danger of this :p
94 months ago
If Apple were an airline, there's still a better than 80% chance you'd get to your destination safely.
94 months ago
On point 1 above, if you use V2 you still cannot access another users files without root access. The system owner should set a root pw. If you set a root pw then others cannot get simple access to other users folders even if they're set as admin level. Although this has nothing to do with the security issues just revealed.
That's not true. Any admin user can spawn a root shell without the root password.
turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo su
vier turtle # whoami
root
vier turtle #
No password required other than the admin user password. That's not the point anyway, system passwords should not be logged in clear text period. Again, the fact that this happened isn't as big of a problem as the fact that it hasn't been patched yet.
94 months ago
turtle@vier ~ $ whoami
turtle
turtle@vier ~ $ sudo -i
vier turtle # whoami
root
vier turtle #
ftfy
94 months ago
Apple just keeps giving reasons not to buy another Mac.
- Sloppy, buggy software.
- Dumbed down software with features removed to appease novice users and frustrate those who use computers for serious tasks (eg the latest Final Cut).
- Dated hardware.
- No support for Blu Ray or USB 3.
- Childish colourful applications preferred over interfaces that help the user perform tasks.
- Features copied from touch screen devices with no consideration to whether they fit in on a computer.
- Aforementioned features being enabled without my consent (eg the reverse scrolling when I installed Lion).
- Huge security flaws left unfixed for weeks or months at a time.
There used to be reasons to pay a premium for Macs, but clearly there aren't any more.
- Sloppy, buggy software.
- Dumbed down software with features removed to appease novice users and frustrate those who use computers for serious tasks (eg the latest Final Cut).
- Dated hardware.
- No support for Blu Ray or USB 3.
- Childish colourful applications preferred over interfaces that help the user perform tasks.
- Features copied from touch screen devices with no consideration to whether they fit in on a computer.
- Aforementioned features being enabled without my consent (eg the reverse scrolling when I installed Lion).
- Huge security flaws left unfixed for weeks or months at a time.
There used to be reasons to pay a premium for Macs, but clearly there aren't any more.
94 months ago
So, apparently Kaspersky was wrong when he said that Apple was 10 years behind Microsoft in terms of security. It's more than that.
[ Read All Comments ]
Elevation Lab, known for its line of popular iPhone charging docks, today released the FamilyCharger, a multi-charging setup designed to allow you to charge all of your devices in one place.
The...
Apple today seeded the third beta of an upcoming macOS Catalina update to its public beta testing group, two weeks after seeding the second public beta and a day after seeding the fourth developer...
Apple today seeded the third beta of an upcoming tvOS 13 update to its public beta testing group, two weeks after seeding the second public beta and day after seeding the fourth developer beta of...
Apple today began selling an updated version of the Rotor Riot wired game controller for iPhone and iPad through its online store. The new model features a redesigned directional pad, a built-in...
Los Angeles FC fans can now order food and drinks ahead of time directly on their iPhones at the Banc of California Stadium.
The MLS team has partnered with artificial intelligence platform...
An escalating trade war between Japan and South Korea could make Chinese manufacturer BOE Technology a "strong contender" for OLED display orders from Apple, according to industry sources who...
iPhone loyalty has hit its lowest level since 2011 and Samsung has been the main benefactor, claims a new survey conducted by trade-in service BankMyCell.
The survey, cited by CNET, tracked...
Sky: Children of the Light, by Journey developer thatgamecompany, is now available for iPhone, iPad, and iPod touch. Its release follows last year's launch of the beta version of the game, titled...
