Report: security glitch exposes Mac OS X passwords
Declan McCullagh reports at News.com that....
Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account.Link. Image: "Rebooting the target MacBook in a studio at CNET on Second Street in San Francisco. From left to right: Paul, Schoen, Appelbaum, and [Declan McCullagh].The vulnerability arises out of a programming error that stores the account password in the computer's memory long after it's needed, meaning it can be retrieved and used to log into the computer and impersonate the user.
"This is a real problem and it needs to be fixed," said Jacob Appelbaum, a San Francisco-area programmer who discovered the vulnerability and reported it to Apple. He said he disagreed with the company's response: "They won't put it in the latest security update or release a security update just for this issue."
Appelbaum is one of the team of researchers who published a "cold boot" paper last week describing unrelated vulnerabilities in encrypted filesystems, including Apple's FileVault, Windows Vista's BitLocker, and a number of open-source ones.
Update: All of the technical details are here on bugtraq.
the latest
latest episodes
But it still didn't get hacked because NOBODY CARES!
Hahahaha! Just kidding, Mac folk!
:D
Yeah, that's all well and good, but how about the issue of being able to completely change the ownership of the computer and make a new administrator account? Here's a link to a post on my old blog where I show you how to do just that: http://mustardhamsters.blogspot.com/2007/07/create-new-administrator-user-in-mac-os.html I'll do a rewrite with a video of this on my main blog if you want.
Physical access to a computer can get you almost anywhere. You should make sure to have an open firmware password set, and to always log out or sleep your computer with password protection when you're away. Most Mac users don't set up password protection correctly, and almost no one has an open firmware password set. It takes less than 10 minutes to completely change the ownership of the computer using my method, probably closer to 5. This actually forced the Maine Laptop Initiative to change their distribution protocols for their most recent run of laptops.
Moon, I'd like to feel that we've transcended "your OS sucks" arguments.
can we go back to "Mac users are stoopid!"
yup, you can't hack a mac, right?-ha-ha-HA-ha-ha
His name is "Appelbaum." Huh. Huh Huh.
Good idea Apple, close your eyes and pretend it will just go away.
Apparently Applebaum is annoyed because he showed Apple the exploit on Feb 5 and they didn't fix it in a security update released on Feb 11.
Um, yeah. RIght. Fix an OS in 6 days.
The module with the security hole is called "loginwindow." It is the "parent process" of everything associated with the logged-in user, ie., about 90% of the stuff running on the computer.
Even if the security hole is fixable in 6 days, I certainly would NOT want Apple to release a fix without adequate testing. 6 days is not enough time.
Applebaum has very unreasonable expectations.
Wait. It's clear that CNet misrepresents Applebaum by stating that he was upset with Apple's response. In his article detailing the 'sploit on www.securityfocus.com he states he was happy working with Apple.
He does note that he saw his bug in Apple's database was marked as a dupe of a MUCH older bug, leading him to be a bit snippy about what's been holding up a fix....
I hope and pray some my business competition either switches to or stays with Windows because of this. Mac's suck, don't use them!
grow up guys: this is Boingboing, not Slashdot.
nothing will happen again.
If you have access to the computer, Mac or PC, you can change the password with the install disc, by design. It is remote hacking that is dangerous, and difficult to achieve on a a mac but child's play on a windows machine.