Apple's OS X Lion update has left encrypted passwords for exposed for the past three months
PCMag reports that:
"Apple accidentally left a debug option on in FileVault, OSX’s legacy encryption software.
As a result, the login password of a user who had logged in since the update in early February, was saved in plain text in a log file outside the encrypted area. In other words, anyone with administrator access to your computer—which could be anyone if you never log out of your account—can read the file containing the password, and log into the encrypted part of your disk.
The vulnerability affects FileVault users who upgraded from Snow Leopard (OSX 10.6) to Lion 10.7.3, but did not migrate to FileVault 2, the full-disk encryption software that came with Lion.
Lion users should immediately activate FileVault 2, which can be found in the Security & Privacy setting in System Preferences. Click the FileVault tab to enable."
0 comments: