New Problem for Old FileVault users

New Problem for Old FileVault users

Jeffrey Goldberg by Jeffrey Goldberg on

New Problem for Old FileVault users

If you have been using Apple’s FileVault to encrypt your home folder on OS X, read on. There is an important security bug and action you should take. This is an Apple security issue that does not affect 1Password 3 or Knox for Mac, but it is an important enough issue that I’m announcing it here.

This only affects those who had set up FileVault to encrypt their Home Folders (not the entire disk) prior to OS 10.7 (Lion) and have since upgraded to Lion 10.7.3. If you don’t use FileVault, or if you use FileVault to encrypt your entire disk, all is fine on your system.

Very simply, if you use FileVault on your Home Folder (something that can only be set up prior to OS X 10.7) then a bug in OS X 10.7.3 is logging your OS X login password in system logs. This is described in an article on ZDNet’s Zero Day Blog.

If you are among the affected users, then you should:

  1. Go to System Preferences > Security > FileVault and change your settings to encrypt the entire disk. That is, you should use the much improved FileVault in OS X Lion.
  2. Change your OS X Login Password through account preferences

There will be other concerns as well, as your old password (usable for decrypting Time Machine backups) may still be available to other administrator users on your system. This typically isn’t a concern for home users, but it can be important for Mac in an office environment.

As David Emery, a discoverer of this problem, said in his report.

carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open … Nobody breaks encryption by climbing the high walls in front when the garden gate is open for millions of machines.

Principal Security Architect

Jeffrey Goldberg - Principal Security Architect Jeffrey Goldberg - Principal Security Architect

Tweet about this post