So you've upgraded to Apple's fancy new operating system Lion and you're all agog over full screen apps, multi-touch gestures, Launchpad and what have you. Everything's all hunky dory … or is it?
Users of the Lion version of Mac OS X will probably want to update their log-in passwords.
Security researcher David Emery warns of a new vulnerability involving the FileVault feature in Mac OS X Lion, version 10.7.3, which allows for encryption of certain directories. He writes:
Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree ("legacy Filevault").
The log in question is kept by default for several weeks…
Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012.
Oy. It has to be said: this couldn't have happened when Steve Jobs was alive.