Report: security glitch exposes Mac OS X passwords

Posted by Xeni Jardin, February 28, 2008 3:27 PM |

Declan McCullagh reports at News.com that....

Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account.

The vulnerability arises out of a programming error that stores the account password in the computer's memory long after it's needed, meaning it can be retrieved and used to log into the computer and impersonate the user.

"This is a real problem and it needs to be fixed," said Jacob Appelbaum, a San Francisco-area programmer who discovered the vulnerability and reported it to Apple. He said he disagreed with the company's response: "They won't put it in the latest security update or release a security update just for this issue."

Appelbaum is one of the team of researchers who published a "cold boot" paper last week describing unrelated vulnerabilities in encrypted filesystems, including Apple's FileVault, Windows Vista's BitLocker, and a number of open-source ones.

Link. Image: "Rebooting the target MacBook in a studio at CNET on Second Street in San Francisco. From left to right: Paul, Schoen, Appelbaum, and [Declan McCullagh].

Update: All of the technical details are here on bugtraq.

posted in: Safety
Favorite this! ( 3 )
Send this to a Friend
Older Billboard Liberation Front: video of last night's hit
Newer TED 2008: Philip Zimbardo on The Lucifer Effect in Action

Discussion

Take a look at this
#1 posted by Moon , February 28, 2008 3:32 PM

But it still didn't get hacked because NOBODY CARES!

Hahahaha! Just kidding, Mac folk!

:D

Take a look at this
#2 posted by Dean Author Profile Page, February 28, 2008 3:37 PM

Yeah, that's all well and good, but how about the issue of being able to completely change the ownership of the computer and make a new administrator account? Here's a link to a post on my old blog where I show you how to do just that: http://mustardhamsters.blogspot.com/2007/07/create-new-administrator-user-in-mac-os.html I'll do a rewrite with a video of this on my main blog if you want.

Physical access to a computer can get you almost anywhere. You should make sure to have an open firmware password set, and to always log out or sleep your computer with password protection when you're away. Most Mac users don't set up password protection correctly, and almost no one has an open firmware password set. It takes less than 10 minutes to completely change the ownership of the computer using my method, probably closer to 5. This actually forced the Maine Laptop Initiative to change their distribution protocols for their most recent run of laptops.

Take a look at this
#3 posted by Teresa Nielsen Hayden / Moderator Author Profile Page, February 28, 2008 3:56 PM

Moon, I'd like to feel that we've transcended "your OS sucks" arguments.

Take a look at this
#4 posted by Takuan , February 28, 2008 4:00 PM

can we go back to "Mac users are stoopid!"

Take a look at this
#5 posted by geo the moose , February 28, 2008 5:17 PM

yup, you can't hack a mac, right?-ha-ha-HA-ha-ha

Take a look at this
#6 posted by MITTZNZ , February 28, 2008 5:24 PM

His name is "Appelbaum." Huh. Huh Huh.

Take a look at this
#7 posted by noen , February 28, 2008 6:19 PM

Good idea Apple, close your eyes and pretend it will just go away.

Take a look at this
#8 posted by haineux , February 28, 2008 6:31 PM

Apparently Applebaum is annoyed because he showed Apple the exploit on Feb 5 and they didn't fix it in a security update released on Feb 11.

Um, yeah. RIght. Fix an OS in 6 days.

The module with the security hole is called "loginwindow." It is the "parent process" of everything associated with the logged-in user, ie., about 90% of the stuff running on the computer.

Even if the security hole is fixable in 6 days, I certainly would NOT want Apple to release a fix without adequate testing. 6 days is not enough time.

Applebaum has very unreasonable expectations.

Take a look at this
#9 posted by haineux , February 28, 2008 6:42 PM

Wait. It's clear that CNet misrepresents Applebaum by stating that he was upset with Apple's response. In his article detailing the 'sploit on www.securityfocus.com he states he was happy working with Apple.

He does note that he saw his bug in Apple's database was marked as a dupe of a MUCH older bug, leading him to be a bit snippy about what's been holding up a fix....

Take a look at this
#10 posted by Cowicide Author Profile Page, February 28, 2008 10:23 PM

I hope and pray some my business competition either switches to or stays with Windows because of this. Mac's suck, don't use them!

Take a look at this
#11 posted by minamisan , February 29, 2008 2:26 AM

grow up guys: this is Boingboing, not Slashdot.

Take a look at this
#12 posted by gregburkman , February 29, 2008 6:52 AM

nothing will happen again.

Take a look at this
#13 posted by Anonymous , February 29, 2008 3:34 PM

If you have access to the computer, Mac or PC, you can change the password with the install disc, by design. It is remote hacking that is dangerous, and difficult to achieve on a a mac but child's play on a windows machine.

Post a comment

Anonymous