Well, that was close. It seems that Apple — after scrambling to patch 36 major security vulnerabilities in Mac OS X — fixed big leaks that revealed passwords used to encrypt folders with an older version of File Vault.
Apple’s latest update to Mac OS X Lion allegedly contained an error that revealed the passwords for material stored in the first version of File Vault, the company’s encryption technology.
What this means is that File Vault users who updated their Mac to OS X Lion version 10.7.3 switched on a debug log file — and exposed in unencrypted text the File Vault passwords of anyone who has logged in since the device was updated.
As security researcher David Emery told InfoWorld last week before the security plugs were holed:
“A mistake like this exposes more or less the keys to the kingdom to someone with literally no access to a supposedly secured area on a machine, and maybe nothing more than chance physical access to a target’s laptop for a few unguarded minutes.”
According to an official update from the folks at Apple:
The login process recorded sensitive information in the system log, where other users of the system could read it. The sensitive information may persist in saved logs after installation of this update. This issue only affects systems running OS X Lion v10.7.3 with users of Legacy File Vault and/or networked home directories. See http://support.apple.com/kb/TS4272 for more information about how to securely remove any remaining records.