As David Emery documented last week on Cryptome, Apple’s original version of FileVault has a serious security flaw, when used in OS X Lion 10.7.3. The authorization process has a debug option left on that logs the password used to access an encrypted volume’s directory tree. In turn, this log file is viewable by anyone with root or admin access on the machine. Not only that, but a user with no idea how to log into the machine at all could access the contents of this log file by booting the Mac in Firewire Target disk mode and accessing its drive from another Mac or even by booting into Lion’s new recovery partition and using its available superuser shell.
While this issue doesn’t exist when using the new version 2 of FileVault built into Lion, many people rely on the older version if they upgraded existing FileVault encrypted files and folders in a Snow Leopard installation.
Perhaps the most disturbing part of this problem is Apple’s reluctance to address it in a timely manner. At least one person reported the problem three months ago in the Apple Support Communities forums, and it’s been a topic of discussion in the Novell forums for at least a week. Traditionally, Apple hasn’t had to make security patches a top priority. The company’s computers were only used by approximately 10 percent of the personal computer buying public, and even fewer were found in large companies (the most lucrative targets for malware authors looking for valuable information). Today’s landscape looks different. Apple consistently beats their previous quarter’s sales records and when counting iPad sales, beat even HP as top manufacturer in 2012. If you include iCloud integration, this means the same data entered on a user’s iPhone or iPad is accessible from their Mac. Hackers building bot-nets are more concerned with the bandwidth available to a compromised machine than the operating system it runs, and Mac owners are perceived as more likely than average to have the financial means to afford fast broadband connections.
I’m confident Apple will address this issue, especially as negative press grows. The question is, will Apple respond to the next vulnerability more rapidly?