Apple’s Lion Security Hole Could Be A Wider Issue Than Just FileVault?

As you may have seen over the weekend, someone has discovered a security hole in FileVault, which arose with the OS X Lion security update, version 10.7.3, back in February: FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.

The hole was apparently spotted by someone back in February, although it was most publicly first pointed out by security consultant David Emery on the Cryptome blog a few days ago and the rest of the blogosphere has run with it.

Now, it appears that the problem could be bigger than previously thought: it turns out that the developer who first noticed the hole back in February has discovered that it exists outside of FileVault, too, with at least one other company’s security encryption software, Lion VM, from VMWare Fusion, showing the same behavior.

From earlier this morning, he wrote, in answer to his own thread started in February:

I’m not sure if I can support the assumption that this is an error in filevault.

I’ve just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Can someone with the following environment please verify:

– OpenDirectory users with Network Home on AFP

– Lion (10.7.3) Clients

– Snow Leopard or Lion Server

Steps:

– Setup a new machine, or use one that never had filevault enabled

– Login as a (unprivileged!) network user with a Network Home on an AFP share

– logout, login as an admin user

– Check “Console” for log messages containing the string “_premountHomedir”

Please help to get to the bottom of this!

The security hole, as it exists in Apple’s own FileVault (and potentially other) encryption software, means that passwords for the encrypted part of a person’s computer are revealed in plain text to a user who knows where to look. As Sophos’ Naked Security blog notes:

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

That is yet another reminder of how, although we hear a lot about passwords needing to be   cryptic enough, ultimately if the encryption falls down on implementation, those passwords will be useless anyway. “How products store, manage and secure keys and passwords is the most common failure point in assuring data protection,” Chester Wisniewski of Sophos points out.

The advice he gives is to upgrade to a full-disc solution, such as FileVault 2 or another, and also to change your passwords if you’re a FileVault user.

It’s not clear how many users have been affected by this security flaw, which follows on another security mishap for Apple last month, when 600,000 Macs were apparently recruited into a botnet after a security update for Java was delayed in its release.

Apple’s been working for some time on improving the security of its operating systems — partnering with the security community to advance that aim — but as the company’s ubiquity continues to grow this will become even more urgent an issue.

We have contacted Apple for a response to this story and will update as we learn more.