Another reminder that Macs are not immune from security issues: researchers have discovered that Apple's own FileVault encryption system store the password for that system in a plain-text file, making it potentially vulnerable to attack.
Compared to the recent Flashback malware, which hit an estimated 600,000 Macs, this particular issue is (relatively) minor. Sophos' Naked Security blog explains the issue, which was discovered by researcher David Emery. Emergy found that users who had upgraded from Snow Leopard to Lion and who use FileVault to encrypt their home directory but not their entire disk had their password stored in a plain text file which wasn't encrypted. (The option to use FileVault to encrypt the entire disk, which you can see in the above screenshot, was introduced in Lion. If you've done that, you won't be affected by this issue.)
Keeping passwords in a plain-text file is bad practice, since that makes it easy for malicious software to extract password information. So far, there don't seem to be any reports of malicious code trying to exploit the flaw, but that doesn't mean that someone won't be trying fairly quickly.
Given that this affects the previous version of Mac OS X and that many (I'd guess most) Mac users don't use encryption anyway, this problem is not likely to impact enormous numbers of people. However, in an age where many security attacks are aimed at very small businesses or individuals, it's still a potential issue. And there are several worthwhile lessons we can draw from this, whatever platform we use:
- While encryption is a great way to keep your data private, it's essentially meaningless if the encryption password can be easily accessed.
- This problem would be magnified if you used the same password for encryption as you do for other sites or applications. Good security practice requires different passwords for different apps, as annoying as that is. (Check out our list top 10 password mistakes to avoid for more tips.)
- Using a relatively current operating system and ensuring that it is patched remains a key element of your security approach. However, patching isn't a universal panacea: this bug actually appeared in the most recent security Lion security update.
- No-one — not Apple, not Microsoft, not Google, not the open-source community — writes software that is free from bugs and potential security loopholes. That's life in the modern world.
Apple update to OS X Lion exposes encryption passwords [Naked Security]