Password compromised whether or not FileVault was used?
This article states that Lion 10.7.3 users are possibly affected by a compromise of their passwords whether or not Filevault has been used, doesn't it?
Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
This article states that Lion 10.7.3 users are possibly affected by a compromise of their passwords whether or not Filevault has been used, doesn't it?
Per the first sentence, this impacts users who either use Legacy FileVault or have home folders mounted via NFS, AFP, or SMB. If you don't fall in either category, no issue.
Per the second sentence, the logs these plain-text passwords are stored in may have been copied to backups (not Time Machine) or to syslog servers.
Link to TS4272 to save readers the trouble of finding it.
I didn't use FileVault, but my home folder was mounted by myself through AFP using other Macs on my network. Should I interpret the article to mean that the password may be stored in plain text on the Mac that hosted the home folder through AFP, or that the password may be stored in plain text in log files of any of the Macs that were used to access the home folder through AFP, or that the password might appear in clear text in the log files of any of those computers, whether hosting or accessing the home folder through AFP?
Recommended reading:
About the security content of OS X Lion v10.7.4 and Security Update 2012-002
* the first item describes the Login Window issue, with reference to CVE-2012-0652.
From Apple's document — and from seeing the symptom of the bug on (just one) computer where FileVault 1 was used — my understanding is that:
* simply making an AFP connection from a 10.7.3 client, to a server, does not cause the password to be saved in pain text
* the issue may affect a 10.7.3 client that uses a server for both (a) login window authentication and (b) automatic mounting of the client's home directory.
Hint: at a 10.7.3 client, in the Users & Groups pane of System Preferences, click Login Options. If any network account server is listed, then you may find that the password of a network account user is saved in plain text at that client computer.
Password compromised whether or not FileVault was used?