PDA

View Full Version : Mac OSX 10.7.3 blunder


carrcomp
05-08-2012, 12:59 AM
Hey guys,

I'm sure most of you know about this but ...
With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the user’s password in clear text.


FileVault 2 people are fine, but if you used FileVault encryption pre-Lion, upgraded to Lion, and kept the legacy FireVault encryption on the folders then yeah, you're more or less giving it away.

Viruses, here we come.....

anonymous Mac Tech
05-08-2012, 03:03 PM
I don't know why you would reason that an open encryption password accessible on a local machine is going to make the machine more or less vulnerable to a virus but whatever? Its even stated in the article it would be pretty difficult to exploit.

How about leaving a link (http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963) so folks can make their own minds up about this, rather than just taking your opinion for it? I'd have to say, why someone would still be using Filevault (as opposed to Filevault 2) with 10.7.x? This is plain ignorant. But at the same time Apple not forcing the Filevault 2 upgrade with a 10.7.x upgrade doesn't make sense (but folks are complaining about Apple being so restrictive, this is why maybe they are in some situations?). I'm not sure what the process is with Filevault to Filevault 2 when upgrading from 10.6.x to 10.7.x and I don't recommend Filevault to customers (unless they insist on using Filevault for encrypting their files). One big reason being if the machine already won't boot, a damaged sparse bundle is compounding complications. Also, most folks I see who have it turned on don't even know why (or even need it on for that matter). But what I've seen with Filevault 2, there have been some vast improvements over previous Filevault versions.

anonymous Mac Tech
05-10-2012, 07:54 PM
Just in case anyone cares, 10.7.4 update was released today which addresses this so this is a non issue. but here (http://reviews.cnet.com/8301-13727_7-57431220-263/os-x-10.7.4-fixes-filevault-password-snafu/?part=rss&tag=feed&subj=MacFixIt) are some details along with instructions for deleting all of the logs or just the password entries in the logs since the update isn't going to comb through the logs.

carrcomp
05-11-2012, 01:04 AM
Just in case anyone cares, 10.7.4 update was released today which addresses this so this is a non issue. but here (http://reviews.cnet.com/8301-13727_7-57431220-263/os-x-10.7.4-fixes-filevault-password-snafu/?part=rss&tag=feed&subj=MacFixIt) are some details along with instructions for deleting all of the logs or just the password entries in the logs since the update isn't going to comb through the logs.

Didn't know it was released.

Well done my friend.