You scream, I scream, we all scream for Apple security updates!

You scream, I scream, we all scream for Apple security updates!

Jeffrey Goldberg by Jeffrey Goldberg on

I’ve been talking a lot lately about the importance of keeping systems up to date and the role this plays in keeping malware at bay. I even suggested that Mac users are particularly good at keeping there systems up to date. So if you’re on OS X 10.6 Snow Leopard or 10.7 Lion, please help prove me right by running Software Update now.

Apple has released a big update from OS X 10.7.3 to 10.7.4, which includes many important security fixes, among them a fix for the the FileVault issue we talked about a few days ago. The security update is also available for those running 10.6.8 (Snow Leopard). Among the many important security updates are fixes for Safari, WebKit (used by Safari and much, much more), Bluetooth, and QuickTime.

Unsupported systems are unsupported

If, for some reason, you are using an older, unsupported, version of Mac OS X such as Leopard (OS X 10.5) or Tiger (10.4), your system is unprotected. As I explained last week, the large majority of security flaws that get exploited by malware are things that people could have avoided if only they kept their systems up to date.

On a similar note, Mozilla, the makers of Firefox, stopped support for Firefox 3.6 in April. Running the updater from within Firefox 3.6 should bring you to the current version, Firefox 12. Our modern 1Password extension for Firefox uses the same powerful and flexible design that we have for Safari and Chrome; and it makes future browser upgrades a breeze.

Home Folders, FileVault, and passwords

New Problem for Old FileVault users

One of the things that the OS X update fixes is the aforementioned FileVault problem. If your system was set up in such a way that your login password was needed for your Home Folder to get loaded by the system, your login password may have been written to system logs in plain text. The most typical way for this to happen is if you had configured FileVault to encrypt your Home Folder back before OS X 10.7 (Lion) and upgraded your way to 10.7.3.

The same problem may also occur if your Home Folder is mounted from a network server. This is because, even under these circumstances, the actual bug was not in FileVault itself, but in the system that handles using login passwords for mounting Home Folders. Anyone with administrator powers on affected Macs could simply read everyone’s login password.

You might think that, if someone has administrative powers, it doesn’t matter if they also have your login password for your Mac. As usual, things are not that simple. It does matter if others get ahold of your login password, even if they already have administrative power on the Mac you use. First, there is the fact that many people reuse passwords like this (so they could compromise your other accounts), but your login password is also used to encrypt your OS X keychain. This includes things like passwords that Mail.app, iCloud, iChat, Safari, and many other apps may store in your OS X login keychain. An attacker with administrative powers, but without your login password, can not get at that information. But they can if they have your login password.

There are three things that affected users need to do:

  1. Run software update to prevent any further logging of passwords
  2. Change your login password through System Preferences > Users & Groups
  3. Remove old system logs that contain the old password by following the instructions in Apple’s support document on removing sensitive information from system logs. (Editor’s note: this support document is no longer available)

It’s great that Apple was able to fix this quickly. The error really was an embarrassing blunder. But while this particular fix may be getting the headlines, there are many other important security fixes. Don’t for a moment think that you can skip it just because you aren’t affected by that specific bug.

Principal Security Architect

Jeffrey Goldberg - Principal Security Architect Jeffrey Goldberg - Principal Security Architect

Tweet about this post