backtop


Print 61 comment(s) - last by coferj.. on May 16 at 2:08 PM

Company is showing signs of improvement, past flaws took it up to a year to patch

Famed OS X hacker Charlie Miller once told a security blog, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

But of late there have been some thieves in the farm house, and even Apple, Inc. (AAPL) has started to admit that it has security issues -- well, after realizing that telling its technicians to lie to customers about them might be bad publicity.  One recent piece of malware is estimated to have infected 600K Macs and generated millions in profit for identity thieves alone.

Kapersky Labs, a top security firm recently warned the public that Apple's security was 10 years behind Microsoft Corp.'s (MSFT).  Evidence of that was seen in the 10.7.3 build of OS X "Lion", which due a programming error (a stray debugging flag left on in OS X's source) accidentally logged in plaintext the passwords of users who used legacy FileVault settings.

An Apple user, Eric Hildum complained in the support forums three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.

Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?
We are running Lion clients with a SL Server and using OpenDirectory.

Apparently the Apple answer was that this was a "feature" for the time being, because the user received no reply to his pleas for three months.  Then a security researcher by the name of David Emery, posted his findings to the Cryptome mailing list, a list frequent by hackers.

Apple FileVault

As noted by Mr. Emery, the issue did not effect purchasers of new Lion systems, but might have affected many users of legacy systems who upgraded to Lion.

With the Cryptome email, the media began to catch wind of Lion's penchant for plaintext password dumping and Apple was forced into the awkward position of providing an "update" for its "feature".

Hence OS X 10.7.4 was born, and aired today to loyal Lion subscribers.  

The patch also "improves" other "features", such as no longer losing settings to the "reopen windows when logging back in" checkbox, and allowing "certain British third-party keyboards" to finally work.

Apple may still be living in the dark ages of security, but at least it's figured out not to stores users' passwords in plaintext, even if it took the company three months of complaints.  On the plus side, the three month turnaround is faster than past incidents where Apple took up to a year to fix past security issues/features.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: More biased anti-apple Trolling
By macdevdude on 5/9/2012 5:52:28 PM , Rating: -1
quote:
LOL what a sucker! They say you coming a mile away chump.
What's that supposed to mean? The Windows users who get their identities stolen are the suckerss.
quote:
Any reason you needed to buy so many Mac's in such a short period of time if they're really all that great? Just wondering. I certainly don't need to buy a PC every 1.6 years.
I develop apps for a living. Six figures a year is more than enough to by a nice cluster of MacPros for rendering work and MacBook Airs and MacBook Pros for trips to the coffe shop.

Not everyone is living on welfare like you.

Maybe if you got a Mac and didn't get your credit card charged with so many fraudulent transactions from Windows you could afford to upgrade more often.


By Digimonkey on 5/9/2012 5:54:54 PM , Rating: 5
Man, did a PC user kick your puppy or something?


RE: More biased anti-apple Trolling
By WhiskeyD on 5/9/2012 6:14:22 PM , Rating: 2
macdevdude you have clearly showed your ignorance. Only noobs like you get viruses and their identity stolen on a PC. I havent ran an antivirus in over 5 years and I've not had a single problem but then again I'm actually competent with a PC. You keep wasting your "six figures" every few months buying macs and I'll build a new "identity stealer" every 3-4 years with my "welfare check" hahah your a joke


RE: More biased anti-apple Trolling
By Cheesew1z69 on 5/9/2012 7:27:01 PM , Rating: 2
Showed it? He shows it every post he makes.


RE: More biased anti-apple Trolling
By bah12 on 5/10/2012 11:17:25 AM , Rating: 1
LMAO yah he averages -.88 almost every post he gets a -1. What a moron.


By Reclaimer77 on 5/10/2012 2:09:53 PM , Rating: 2
And that's only because -1 is as low as you can go here lol.


By ppardee on 5/9/2012 7:38:18 PM , Rating: 3
When most people quote a 'six-figure salary', they're not including the figures to the right of the decimal.

And generally when someone uses their salary to defend themselves, they are lying since it can't be verified.

I develop apps for a living, too. I've spent less than $2000 on my computers in the last 6 years and have a killer gaming system to boot (Get it... To boot.. It's a joke, son.). I'm not on welfare, just not stupid with my money.

In the end, there are two types of computer users. Those who know they've been hacked, and those who don't know they've been hacked. We know which category you fall into.


RE: More biased anti-apple Trolling
By elleehswon on 5/9/2012 11:25:22 PM , Rating: 2
A cluster of mac pro's for rendering? are you retarded or just trolling? The GPU's in macs are last generations technology, at best! For what you spent on those mac pro's, you could have bought a few cranking PC's(apple's markup is damn near astronomical), run triple SLI, and be able to dick off most of the day as you'd no longer have to waste time watching your pixels fill the screen. Wait, nevermind, you'd probably get a virus...something tells me you're the type that clicks on the boxes on the side of the webpages you visit.

Macs...for people who have no idea what they're doing, but still want to feel like they have something to brag about.

Man, i hope you're trolling... for your sake and mine. Please tell me you're trolling.


RE: More biased anti-apple Trolling
By Rukkian on 5/10/2012 9:58:26 AM , Rating: 2
And for those that want to show off how much of their "6 figure salary" they can blow on overpriced, overhyped, overmarketed crap.


"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki