Posts

You scream, I scream, we all scream for Apple security updates!

Mac Software UpdateI’ve been talking a lot lately about the importance of keeping systems up to date and the role this plays in keeping malware at bay. I even suggested that Mac users are particularly good at keeping there systems up to date. So if you’re on OS X 10.6 Snow Leopard or 10.7 Lion, please help prove me right by running Software Update now.

Apple has released a big update from OS X 10.7.3 to 10.7.4, which includes many important security fixes, among them a fix for the the FileVault issue we talked about a few days ago. The security update is also available for those running 10.6.8 (Snow Leopard). Among the many important security updates are fixes for  Safari, WebKit (used by Safari and much, much more), Bluetooth, and QuickTime.

Unsupported systems are unsupported

If, for some reason, you are using an older, unsupported, version of Mac OS X such as Leopard  (OS X 10.5) or Tiger  (10.4), your system is unprotected. As I explained last week, the large majority of security flaws that get exploited by malware are things that people could have avoided if only they kept their systems up to date.

On a similar note, Mozilla, the makers of Firefox, stopped support for Firefox 3.6 in April. Running the updater from within Firefox 3.6 should bring you to the current version, Firefox 12. Our modern 1Password extension for Firefox uses the same powerful and flexible design that we have for Safari and Chrome; and it makes future browser upgrades a breeze.

Home Folders, FileVault, and passwords

One of the things that the OS X update fixes is the aforementioned FileVault problem. If your system was set up in such a way that your login password was needed for your Home Folder FileVault iconto get loaded by the system, your login password may have been written to system logs in plain text. The most typical way for this to happen is if you had configured FileVault to encrypt your Home Folder back before OS X 10.7 (Lion) and upgraded your way to 10.7.3.

The same problem may also occur if your Home Folder is mounted from a network server. This is because, even under these circumstances, the actual bug was not in FileVault itself, but in the system that handles using login passwords for mounting Home Folders. Anyone with administrator powers on affected Macs could simply read everyone’s login password.

You might think that, if someone has administrative powers, it doesn’t matter if they also have your login password for your Mac. As usual, things are not that simple. It does matter if others get ahold of your login password, even if they already have administrative power on the Mac you use. First, there is the fact that many people reuse passwords like this (so they could compromise your other accounts), but your login password is also used to encrypt your OS X keychain. This includes things like passwords that Mail.app, iCloud, iChat, Safari, and many other apps may store in your OS X login keychain. An attacker with administrative powers, but without your login password, can not get at that information. But they can if they have your login password.

There are three things that affected users need to do:

  1. Run software update to prevent any further logging of passwords
  2. Change your login password through System Preferences > Users & Groups
  3. Remove old system logs that contain the old password by following the instructions in Apple’s support document on removing sensitive information from system logs.

It’s great that Apple was able to fix this quickly. The error really was an embarrassing blunder. But while this particular fix may be getting the headlines, there are many other important security fixes. Don’t for a moment think that you can skip it just because you aren’t affected by that specific bug.

New Problem for Old FileVault users

FileVault iconIf you have been using Apple’s FileVault to encrypt your home folder on OS X, read on. There is an important security bug and action you should take. This is an Apple security issue that does not affect 1Password 3 or Knox for Mac, but it is an important enough issue that I’m announcing it here.

This only affects those who had set up FileVault to encrypt their Home Folders (not the entire disk) prior to OS 10.7 (Lion) and have since upgraded to Lion 10.7.3. If you don’t use FileVault, or if you use FileVault to encrypt your entire disk, all is fine on your system.

Very simply, if you use FileVault on your Home Folder (something that can only be set up prior to OS X 10.7) then a bug in OS X 10.7.3 is logging your OS X login password in system logs. This is described in an article on ZDNet’s Zero Day Blog.

If you are among the affected users, then you should

  1. Go to System Preferences > Security > FileVault and change your settings to encrypt the entire disk. That is, you should use the much improved FileVault in OS X Lion.
  2. Change your OS X Login Password through account preferences

There will be other concerns as well, as your old password (usable for decrypting Time Machine backups) may still be available to other administrator users on your system. This typically isn’t a concern for home users, but it can be important for Mac in an office environment.

As David Emery, a discoverer of this problem, said in his report.

carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open … Nobody breaks encryption by climbing the high walls in front when the garden gate is open for millions of machines.