Apple makes another security blunder

Apple’s faith based security has taken another hit over the weekend after one of its genius programmers left a debug flag in the most recent version of the Mac OS X operating system.

If you apply OS X Lion update 10.7.3, the process turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text which makes them jolly handy for future hackings.

It causes a problem for anyone who used FileVault encryption on their Mac prior to Lion, upgraded to Lion, but kept the folders encrypted using the legacy version of FileVault.

The flaw was spotted by security expert David Emery, who posted his findings to the Cryptome mailing list. Apple has not bothered to correct the problem in subsequent updates and appears to be adopting its traditional method of dealing with security problems. For those that came in late this involves sticking its fingers in its ears and going la la la, while encouraging its botnet trapped fanboys to scream loudly that they are more secure than Windows users.

Emery said that the problem is worse than it seems. The log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.

It means that anyone can break into encrypted partitions on machines even if they did not have any idea of any login passwords, making that whole encryption thing redundant.

If businesses were dumb enough to place their faith in the FileVault feature they could have just handed over all their business information to hackers. Fortunately few companies, outside the creative industry, have based their networks on Apple’s security systems.