February 29, 2008
Security glitch reveals OS X password
Posted Feb. 29, ’08, 12:35 PM PT by David Dahlquist
Category | Security
If you’re buddies with any malicious cyber geeks or hackers, think twice before letting them hop on your Mac—A security glitch that exposes the OS X password of a Mac to someone with physical access to it has been confirmed by Apple. Oops.
The vulnerability, discovered by San Francisco-area programmer Jacob Appelbaum, arises out of a programming error that keeps the account password in the Mac’s memory long after it’s needed, allowing it to be retrieved and used to log into the computer by unsavory types.
“This is a real problem and it needs to be fixed,” said Appelbaum, who reported the issue to Apple. Apparently, Apple’s response was far from stellar: “They won’t put it in the latest security update or release a security update just for this issue.”
I don’t grant physical access to my Mac to many people, and the ones who do use it every so often wouldn’t have the know-how or intent to take my password. Nevertheless, this is still a big deal; Your OS X password should never be at risk of being compromised. I hope as this story circulates, Apple will be pressured to address this issue with haste.
[Via boingboing]
6 Comments
Leave a comment
Recent Entries
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- Lawrence on IE8 Beta 2 hits the Internets, but do we really care?
- Mark Eagleton on Some major bands shun iTunes
- spiderbat on Original Mac designer dishes on development
- Dave-O on Rumors of Steve's demise are greatly exaggerated
- alterbentzion on IE8 Beta 2 hits the Internets, but do we really care?
- hardonyou on Some major bands shun iTunes
Categories
- Apple (211)
- Advertising (148)
- Events (219)
- Huh? (170)
- Humor (251)
- News (144)
- People (240)
- Rivals (379)
- Speculation (154)
- Steve Jobs (157)
- Stores (196)
- Apple TV (56)
- Business (424)
- Games (137)
- Geekery (449)
- Hardware (885)
- Accessories (69)
- Intel Macs (161)
- Ihnatko (18)
- Internet (438)
- Legal (216)
- MacUser (91)
- Money (162)
- Music (328)
- Podcasting (98)
- Photography (70)
- Security (235)
- Software (1470)
- Updates (504)
- Tips (347)
- Troubleshooting (182)
- Video (380)
- Windows (205)
- iPhone (192)
- iPod (574)
- iPod Accessories (92)
- iPod Software (58)
- iTunes (110)
- iTunes Store (415)
Archives
- August 2008 (169)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
Sounds like a HUGE problem in a lab environment.
It sounds more dire than it really is. The memory is protected. For software alone to retrieve the password you need admin access. The problem is that you can also reach the memory with DMA access but that requires someone plug in a hardware device with special software on it. That is not a common scenario. Apple needs to fix this but it isn't currently a large risk.
I think it's worth linking to the original article and crediting News.com with this one:
http://www.news.com/8301-10784_3-9881870-7.html
What this should demonstrate is that the instructions on how to achieve this is very much in the open now and therefore this is a hole that needs to be fixed ASAP.
Given this and the other exploit recently exposed for breaking into FileVault by extracting the DRAM chips from the computer, hardware manufacturers should start looking at ways to erase the contents of memory as part of the shutdown process.
This is a huge issue as most new Mac users run with the default account they created when they started their Mac for the first time. That account does have Administrator rights. Also, when users take their Mac to be serviced they are often asked for the Administrator account password. Do you really trust a Mac "genius" with your Mac in the back room?
This is a security issue that needs to be addressed NOW!
Mac users are way too lax ( and smug ) when it comes to computer security.
Who is being smug? I said that Apple needs to fix it but the hand wringing is over done. It is not that large of a risk. So someone who you give admin rights to on your computer can get admin rights on your computer?
Shut down your computer and wait 20 minutes before when handing it over to be serviced. Problem solved.
Just having a login with admin rights is not enough to read the memory with software alone. You need the password so you can get root.
I would never take security issues lightly but I also inform myself on the details. This one is not a big deal for most users. If that sounds smug to you, so be it.
@James Bailey
I'm not sure if there is a misunderstanding here but the exploit allows someone to obtain your user account name and password using only another computer and an ethernet cable but does also require the target computer to be turned on or asleep. The job takes only a couple of minutes to do and most of that can be done "off-line" as you look through the memory dump to find the account name and password.
For the servicing of the computer you are entirely correct that you should shutdown the computer completely in advance of handing it over. However, I am more concerned about this exploit in the context of an office or other "open" environment with many people and where you often walk away from your computer while it is still on. The requirement for physical access means this is not going to be a major issue but it is clear that if someone wanted access to your computer's data they can get it pretty easily.