Apple Takes 3 Months But Finally Stops Printing Passwords in Plaintext
May 9, 2012 5:20 PM
comment(s) - last by
Company is showing signs of improvement, past flaws took it up to a year to patch
Famed OS X hacker
once told a security blog
, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."
But of late there have been
in the farm house, and even Apple, Inc. (
started to admit that it has security issues
-- well, after realizing that telling its technicians to
lie to customers about them
might be bad publicity. One recent piece of malware is estimated to have
infected 600K Macs
generated millions in profit
for identity thieves alone.
Kapersky Labs, a top security firm recently warned the public that Apple's security was
10 years behind Microsoft
). Evidence of that was seen in the 10.7.3 build of OS X "Lion", which due a programming error (a stray debugging flag left on in OS X's source) accidentally logged
the passwords of users who used legacy FileVault settings.
An Apple user, Eric Hildum
in the support forums three months ago:
I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.
Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?
We are running Lion clients with a SL Server and using OpenDirectory.
Apparently the Apple answer was that this was a "feature" for the time being, because the user received no reply to his pleas for three months. Then a security researcher by the name of David Emery, posted his findings to the
mailing list, a list frequent by hackers.
As noted by Mr. Emery, the issue did not effect purchasers of new Lion systems, but might have affected many users of legacy systems who upgraded to Lion.
With the Cryptome email, the media began to catch wind of Lion's penchant for plaintext password dumping and Apple was forced into the awkward position of providing an "update" for its "feature".
Hence OS X 10.7.4 was born, and aired today to loyal Lion subscribers.
The patch also "improves" other "features", such as no longer losing settings to the "reopen windows when logging back in" checkbox, and allowing "certain British third-party keyboards" to finally work.
Apple may still be living in the dark ages of security, but at least it's figured out not to stores users' passwords in plaintext, even if it took the company three months of complaints. On the plus side, the three month turnaround is faster than past incidents where Apple took
up to a year to fix past security issues/features
This article is over a month old, voting and posting comments is disabled
RE: Old Quotes
5/9/2012 10:01:53 PM
Charlie Miller's comment may not be relevant but Kapersky's certainly is. Kapersky is saying Apple's security process is where Microsoft's was when XP was released. That puts them 10 years behind in their security process. How can you be okay with a bug that stores network and local passwords in plain text in an unencrypted area of the drive that goes for 3 months without being patched? You'd be standing outside Redmond with pitchforks and torches. But you can defend Apple?
How can you defend a Java bug that resulted in over 600k infections that was fixed for over 3 months before Apple updated the version they won't allow Sun to update directly? And 600k is roughly 1% or so of the OS X install base. I know what you're thinking, 1% isn't bad. To put that into context 12 million Windows infections would be 1% of the Windows install base. The last major virus that hit Windows that didn't require direct user intervention to spread? Conficker. It affected around 2-3% of the Windows install base. However it exploited a vulnerability that had been fixed for almost 6 months before the Conficker worm hit. So that's end user or IT stupidity/laziness.
Microsoft has one of the best security practices in computing today. Do they respond as fast as Linux? No, but they also have validation and extensive testing of patches. Linux users have to worry about a patch casuing issues with other programs that are dependant on files that have changed. It's very unusual for the MS patches to cause widespread problems. They are easily 10 years ahead of Apple and MS actually discloses the information when the patch is released so IT staff can determine testing order and deployment priority.
"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher
Symantec: Flashback Trojan for Mac Generates $10,000/Day
May 1, 2012, 1:46 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Apple Admits Its Macs Have a Malware Problem
April 12, 2012, 12:07 PM
Malware Authors Get Boost from Apple's Sluggish Updates, Infect 600K Macs
April 6, 2012, 8:40 AM
"Devil Robber" Trojan Infects Macs, Leeches Their GPUs for Bitcoin Profit
November 1, 2011, 10:59 AM
Windows 10 Adds USB 3.1 for Dual-Role Peripherals, External Display Support
February 27, 2015, 11:39 AM
Quick Note: Apple Opens Up iOS 8.3 Beta 2 to Developers
February 25, 2015, 6:00 PM
StarDock Unveils Start10 Start Menu Replacement for Windows 10
February 25, 2015, 11:24 AM
Report: Microsoft Plans to Double Windows XP Support Costs to Punish Holdouts
February 18, 2015, 8:38 PM
Quick Note: Office 2016 Preview for Windows 10 is Available
February 9, 2015, 9:39 AM
"World's Smallest Chess Code" is a Cheating Novice (But Still Kind of Lovable)
January 28, 2015, 2:24 PM
Most Popular Articles
Modern Glass (Windows 7 Aero Glass + Modern UI) Style is Coming to Windows 10
February 19, 2015, 1:05 PM
Amid Tight Race w/ Evernote, Microsoft's OneNote Goes (Even More) Free, Adds Fresh Features
February 23, 2015, 11:15 AM
Google Steps up Snub of Adobe Flash, Auto-Converting Flash Ads to HTML5
February 25, 2015, 6:16 PM
NVIDIA Bows to Outraged Overclockers, Will Restore Feature in Upcoming Driver
February 23, 2015, 12:30 PM
HTC's Sense UI is Garbage: A Tale of Disappearing Keyboards and Desperate Fixes
February 24, 2015, 11:00 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information