How to manage the FileVault password hole in OS X 10.7.3
A bug in OS X 10.7.3 exposes legacy FileVault users, but there are some workarounds to prevent this from happening.
Topher KesslerMacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
A security hole has recently been found in the latest version of OS X 10.7.3, through which a user's password may be written to a log file in plain text if that person is using the older legacy FileVault data encryption technology from past versions of OS X.
While the hole may be a problem for a certain group of people who still use the legacy encryption scheme, there are several things that can be done about it.
The hole happened when an Apple software engineer apparently left a debugging flag enabled in the production release of OS X 10.7.3, which allowed the passwords to be logged for people who use the legacy FileVault home folder encryption scheme.
The older FileVault technology in OS X encrypted a user's home folder and left the rest of the system unencrypted, but in the Lion version of the operating system, Apple replaced FileVault with a full-disk encryption option dubbed "FileVault 2." However, for compatibility Apple still supports the legacy FileVault that was enabled on upgraded accounts, though any new enabling of FileVault will require the use of FileVault 2.
This security hole will not affect any user who has purchased a new system with Lion on it, or who has formatted their old system and installed Lion fresh. The security hole will only affect people who upgraded from Snow Leopard who kept using their legacy FileVault setups and who have have then upgraded to the latest OS X 10.7.3. Without these requirements, the passwords for user accounts are not logged by the bug, and are safe.
If your system is one of these, then there are several things you can do to work around this bug:
Check for FileVault usage
In your account, go to the "Security & Privacy" system preferences. When you do this, a warning stating "You're using an old version of FileVault" will appear if your account is using the legacy FileVault technology. Additionally, you can go to the Macintosh HD > Users directory and see if any home directories for accounts other than your own look like disk image files (as opposed to folders). This will let you know which accounts on the system are using the legacy FileVault technology.
Disable or Update FileVault
If any accounts are using the legacy FileVault, then you can disable it. To do this, log in with the account and access the Security system preferences, followed by clicking the option to disable FileVault.
In addition to disabling FileVault, you can re-enable it to turn on Apple's new FileVault 2 encryption scheme that is not affected by this bug. FileVault 2 is also more stable and secure than the original FileVault.
You can enable FileVault 2 on the system with the legacy FileVault enabled for specific user accounts; however, this will not provide full protection from this bug. While enabling FileVault 2 will prevent access to the logged passwords from external sources (such as booting the system to Target Disk mode or removing the hard drive), it will not prevent another admin user on the system from accessing the system logs and reading the password.
Change your password
The final step once you have secured your system, either by only disabling the legacy FileVault or by optionally enabling FileVault 2, is to change your password. While you can try scouring the system logs for instances of your old password and removing them, the easiest option is to simply change your password.
An additional approach to this is to simply clear out all system logs, since logs are temporary files that will be replaced as you use the system, and which are not required for running the system. To do this, open the Terminal utility (in the /Applications/Utilities/ folder) and run the following two commands:
This approach will clear out all the logs in the system, which in some cases might not be desired. Therefore, you can more specifically remove instances of the "secure.log" file that contain the passwords by running the following commands instead:
These steps are also conditionally optional. If you have enabled FileVault 2 to replace the legacy version and you are the only admin user of your machine, then there is no need to change your password as all files contained in it (even those that store passwords as plain text) will be encrypted when you shut down your system.
Lets hope Apple addresses this issue promptly with a security update that both closes the security hole from the debugging code, and also removes the log files that contain instances of user passwords.