If April was bad for Apple on the security front, May seems to offer little respite. Reports indicate of a possible oversight on Apple engineers' behalf that potentially exposes the user's password in clear-text.
The problem is related to FileVault, the file encryption technology that ships with Apple's Mac operating system, specifically Macs using the FileVault encryption version that shipped pre-Lion. According to David I Emery, who reported the issue on a mailing list
, every time the user's FileVault protected home-directory is mounted via the network, the user's password in logged to a file in clear-text.
This type of logging is common when developers are testing code internally, but shipping this in production or user-facing code is unacceptable. This log file, and thus the password, is accessible to any user with root or admin privileges. With access to the password, the root or admin user can now see contents of the user's FileVault encrypted folder.
The issue, first reported on May 5th, affects Mac users who moved their FileVault encrypted folders to Lion from legacy versions of Mac OS X. Users utilizing Lion's Filevault 2 (whole disk encryption) remain unaffected.
As per Emery, the bug was introduced with Mac OS Lion 10.7.3 update in early February. Apple has not released any comment confirming or denying the problem till date.
April saw over 550,000 Macs affected by Flashback trojan
, with Apple scrambling to check the spread and release a fix
. Later security major Trend Micro released a damning report
, citing Apple's poor security record in Q1 2012.