3 Replies Latest reply: May 11, 2012 2:45 AM by Graham Perrin
llee Level 1 Level 1 (100 points)

This article states that Lion 10.7.3 users are possibly affected by a compromise of their passwords whether or not Filevault has been used, doesn't it?

  • Llessur999 Level 4 Level 4 (1,190 points)

    Per the first sentence, this impacts users who either use Legacy FileVault or have home folders mounted via NFS, AFP, or SMB.  If you don't fall in either category, no issue.


    Per the second sentence, the logs these plain-text passwords are stored in may have been copied to backups (not Time Machine) or to syslog servers.


    Link to TS4272 to save readers the trouble of finding it.


  • llee Level 1 Level 1 (100 points)

    I didn't use FileVault, but my home folder was mounted by myself through AFP using other Macs on my network. Should I interpret the article to mean that the password may be stored in plain text on the Mac that hosted the home folder through AFP, or that the password may be stored in plain text in log files of any of the Macs that were used to access the home folder through AFP, or that the password might appear in clear text in the log files of any of those computers, whether hosting or accessing the home folder through AFP?

  • Graham Perrin Level 2 Level 2 (255 points)

    Recommended reading:


    About the security content of OS X Lion v10.7.4 and Security Update 2012-002


    * the first item describes the Login Window issue, with reference to CVE-2012-0652.


    From Apple's document — and from seeing the symptom of the bug on (just one) computer where FileVault 1 was used — my understanding is that:


    * simply making an AFP connection from a 10.7.3 client, to a server, does not cause the password to be saved in pain text


    * the issue may affect a 10.7.3 client that uses a server for both (a) login window authentication and (b) automatic mounting of the client's home directory.


    Hint: at a 10.7.3 client, in the Users & Groups pane of System Preferences, click Login Options. If any network account server is listed, then you may find that the password of a network account user is saved in plain text at that client computer.