Print 61 comment(s) - last by coferj.. on May 16 at 2:08 PM

Company is showing signs of improvement, past flaws took it up to a year to patch

Famed OS X hacker Charlie Miller once told a security blog, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

But of late there have been some thieves in the farm house, and even Apple, Inc. (AAPL) has started to admit that it has security issues -- well, after realizing that telling its technicians to lie to customers about them might be bad publicity.  One recent piece of malware is estimated to have infected 600K Macs and generated millions in profit for identity thieves alone.

Kapersky Labs, a top security firm recently warned the public that Apple's security was 10 years behind Microsoft Corp.'s (MSFT).  Evidence of that was seen in the 10.7.3 build of OS X "Lion", which due a programming error (a stray debugging flag left on in OS X's source) accidentally logged in plaintext the passwords of users who used legacy FileVault settings.

An Apple user, Eric Hildum complained in the support forums three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.

Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?
We are running Lion clients with a SL Server and using OpenDirectory.

Apparently the Apple answer was that this was a "feature" for the time being, because the user received no reply to his pleas for three months.  Then a security researcher by the name of David Emery, posted his findings to the Cryptome mailing list, a list frequent by hackers.

Apple FileVault

As noted by Mr. Emery, the issue did not effect purchasers of new Lion systems, but might have affected many users of legacy systems who upgraded to Lion.

With the Cryptome email, the media began to catch wind of Lion's penchant for plaintext password dumping and Apple was forced into the awkward position of providing an "update" for its "feature".

Hence OS X 10.7.4 was born, and aired today to loyal Lion subscribers.  

The patch also "improves" other "features", such as no longer losing settings to the "reopen windows when logging back in" checkbox, and allowing "certain British third-party keyboards" to finally work.

Apple may still be living in the dark ages of security, but at least it's figured out not to stores users' passwords in plaintext, even if it took the company three months of complaints.  On the plus side, the three month turnaround is faster than past incidents where Apple took up to a year to fix past security issues/features.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

cheezy wording
By Argon18 on 5/10/2012 10:18:22 AM , Rating: -1
"and aired today to loyal Lion subscribers."

Does Microsoft air its service packs to "loyal Windows subscribers" then as well? The Microsoft ecosystem is far more broken than the Apple one. A single security flaw in OSX is headline news over here. For Microsoft? An unpatched flaw is just like any other day. In fact, there are currently 6 "critical" unpatched flaws in Windows 7. SIX of them! Like sitting ducks, all the Microsoft drones wait patiently, knowing there is nothing they can do until the great Steve Ballmer decides to get off his ass and issue yet another patch.

RE: cheezy wording
By HrilL on 5/10/2012 11:34:50 AM , Rating: 4
Lets see Microsoft has an average of a 13 day security patch turn around.

Apple doesn't seem to fix anything in less than 3 months and sometimes it takes a year.

Mac OS also doesn't automatically update so you'll never get their patches unless the user updates on a regular basis. Windows on the other hand updates as soon as Microsoft pushes the update.

Microsoft proactively supports the security community and works with them to fix security problems ASAP. Apple on the other hand sues security researchers and tries to send them to jail.

We can go on and on how Microsoft's security is by far better than apples. But lets just look at the 3 years of pwn to own competitions. Apple loses first in every time.

RE: cheezy wording
By Argon18 on 5/10/12, Rating: -1
RE: cheezy wording
By matty123 on 5/10/2012 1:23:20 PM , Rating: 2
Isn't it funny then how other apple fans will try and exclude android from the more secure OS's {even through following your logic it's based on UNIX and therefore by default more secure}.

In fact if android has shown anything it's that UNIX based systems are no more secure than any others as long as their is a will and enough market share malware inevitably crops up for a platform after a while.

Also microsoft does auto update, you've got it the wrong way round auto update is on by default and you willfully have to go and turn it off.

The same logic also applies to windows don't install unknown sh*t and you won't get a virus, I have been running windows for well over 12 years and the last time I got a virus was when I downloaded a game crack back in highschool.

“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki