1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Apple goof opens FileVault hole in OS X

Discussion in 'Article Discussion' started by brumgrunt, 7 May 2012.

  1. brumgrunt

    brumgrunt What's a Dremel?

    Joined:
    16 Dec 2011
    Posts:
    1,009
    Likes Received:
    27
  2. schmidtbag

    schmidtbag What's a Dremel?

    Joined:
    30 Jul 2010
    Posts:
    1,082
    Likes Received:
    10
    "With Apple fans often claiming that the company's systems are somehow less vulnerable to attack than those from long-time rival Microsoft"

    That's where apple users don't know the difference between malware vulnerability and hacking vulnerability. All unix based and unix-like systems are naturally resistant to malware, whereas WIndows is naturally insecure about infections. But, hacking is a separate story.

    However, hacking is so different that it isn't (or shouldn't be) entirely the OS's obligation to protect against such a thing. When someone attempts to hack into your stuff, you've either pissed someone off or you made others aware of who you are and what you have. That being said, its kind of the user's fault if anything breaches a computer via non-malware methods. In the situation of users getting their things hacked when relying on Apple's FileVault, well that is also Apple's fault because they made an unreliable product.
     
  3. Snips

    Snips I can do dat, giz a job

    Joined:
    14 Sep 2010
    Posts:
    1,940
    Likes Received:
    66
    Oops! I'm sure they will have it fixed sooner or later. If you are using Apple OSX then try downloading Microsoft Security Essentials :)
     
  4. Andy Mc

    Andy Mc Modder

    Joined:
    23 May 2002
    Posts:
    1,743
    Likes Received:
    133
    Wonder how long it will take them to pull their finger out and patch this?

    I call 6 months.
     
  5. Cei

    Cei pew pew pew

    Joined:
    22 Mar 2008
    Posts:
    4,714
    Likes Received:
    122
    Interesting. When will Bit-Tech start posting news articles on every Windows flaw?
     
  6. AmEv

    AmEv Meow meow. See yall in 2-ish years!

    Joined:
    6 Apr 2011
    Posts:
    1,173
    Likes Received:
    43
    Funny.

    Seriously though, it isn't that Windows is/isn't flawed, it's that most of the users that we hear about claim that OS(X) is immune from inoperability. As in, there is 0 malware for it.

    Another thread.
     
  7. Andy Mc

    Andy Mc Modder

    Joined:
    23 May 2002
    Posts:
    1,743
    Likes Received:
    133
    I think the issue here is more about Apples approach to security patching, they are just terrible at it.

    MS will patch issues quite quickly whereas Apple will drag their feet and still insist on telling their users that they do not need to use any form of AV software on their Mac.

    This issue was first seen 3 months ago! Theres more on it here: http://www.zdnet.com/blog/security/...oses-lion-login-passwords-in-clear-text/11963
     
    Last edited: 8 May 2012
  8. fluxtatic

    fluxtatic What's a Dremel?

    Joined:
    25 Aug 2010
    Posts:
    507
    Likes Received:
    5
    This just in from my local Genius (tm) - "Whatever are you talking about? There's no problem, no vulnerability here. Just as the Great Steve (tm) decreed, 'OS X is invulnerable to any sort of problems at all. It's no more vulnerable to hacking or viruses than your toaster.' So, you see? Nothing to see here. Want to buy a new shiny to give your life meaning?"

    There you have it, folks. Every tech site on the planet is just dead wrong about this.
     
  9. modfx

    modfx Loft Gremlin

    Joined:
    11 Feb 2010
    Posts:
    209
    Likes Received:
    7
    A massive scale attack on apple would be most amusing. A few people I know are the "head in the sand lalallalalala Apple cant get viruses and are the most awesome creation known to man. Why? It's Apple, you don't ask why, they just are." types and it would be funny to see their beloved Mac crumble.

    By no means is this aimed at Mac users in general. Fanboys of any description irritate me.
     
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    Like this one? How about this one? This one? Perhaps this one? This one? This little round-up? This one? This one? This one? This one in Sharepoint?

    If a vulnerability is news-worthy, it gets mentioned - regardless of platform. We don't cover every Windows vulnerability - partly because there's too many of 'em, and partly 'cos we're not a security-focused site - but we try to cover the highlights.

    And, I think you'll agree once the Apple-provided scales have fallen from your eyes, storing the passwords for encryption software on the disk in plain-text is definitely a highlight. If Microsoft had done the same, you'd better believe we'd have reported it.
     
  11. FelixTech

    FelixTech Robot

    Joined:
    12 Jun 2009
    Posts:
    357
    Likes Received:
    8
    I'm fairly sure you can bypass Wndows login screens over firewire unless there are non-default settings for the port. However, OSX is the only operating system stupid enough to let you read any bypassed passwords in plain text! It's quite easy to do really! :O
     
  12. Cei

    Cei pew pew pew

    Joined:
    22 Mar 2008
    Posts:
    4,714
    Likes Received:
    122
    Oh don't get me wrong Gareth, this is a flaw in OS X, and a ridiculous one at that - particularly for any owners that have upgraded from previous OS X versions whilst using FileVault. Yet the fact that you need physical access to the machine begins to turn this in to something that its more academic than a threat to the average internet user.

    Your list of links, though pretty, all seem to date from 20120 (apart from a single one in Jan 2011 and a single 2012 article). We've then had a whole spate of Apple ones in recent times, and no comment on what happens to Windows.

    I guess my point is that, as you say, B-T isn't a security website, and so any article you do post is going to have to be of above average interest to the readers. So why post Apple-related ones, on a security flaw requiring physical access, when basically ignoring what goes on with Windows since 2010?
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    Combine it with the drive-by downloader which gains administrative access to OS X without the user's knowledge, and you have a way to remotely harvest passwords for FileVault partitions. Considering that the whole point of FileVault is to protect your privacy in the event of local or remote intrusion, I'd say that's a serious threat indeed.

    Ignoring what goes on with Windows since 2010? Whatever you're smoking, I'll have some.

    I stopped writing for bit-tech a while back, then started again when Simon took over. If you're wondering why there weren't so many stories in 2011 as in 2010 - I wasn't here to write them!

    As for the 'whole spate' of Apple security articles, I count a massive two in 2012: this article, and one about the first drive-by downloader for OS X in the wild. Both, I would say, are very much newsworthy and deserve to appear on bit-tech.

    In the same space of time - i.e. since 1st January 2012 - there have also been two stories about the Microsoft Windows RDP vulnerability and one about Google's cash-for-vulns programme.

    I would say an equal number of articles about vulnerabilities in Windows as about vulnerabilities in OS X is fair, wouldn't you?

    As for 'ignoring' Windows vulnerabilities, it's quite simple: a new drive-by downloader for Windows isn't news. There are hundreds of them. The majority aren't very successful. The world's first drive-by downloader for OS X, which has a confirmed list of victims 550,000-long? That's news. If it were the first drive-by downloader for Windows, I'd have written about it too.

    The biggest security SNAFU of the year from Microsoft was the RDP vulnerability, which got two stories. The biggest SNAFUs from Apple were the drive-by downloader - which at half a milion victims on an OS the company has claimed is immune to viruses, is big news - and the FileVault bug.

    You want me to write more about Windows vulnerabilities than Apple vulnerabilities? Go find some interesting vulnerabilities in Windows, and I'll write about 'em. It's really as simple as that.
     
    Last edited: 8 May 2012
  14. cookie! nom nom

    cookie! nom nom Minimodder

    Joined:
    27 Apr 2012
    Posts:
    968
    Likes Received:
    85
    meh, mistakes happen..... it not like people priviet info can be used/seen
     
  15. schmidtbag

    schmidtbag What's a Dremel?

    Joined:
    30 Jul 2010
    Posts:
    1,082
    Likes Received:
    10
    that's true, but there's a difference between making a mistake and then just being ignorant about something. anyone who knows anything about computers knows that an easily accessible text file is not something you store data that should otherwise be hidden/encrypted.
     
  16. Paulg1971

    Paulg1971 Minimodder

    Joined:
    24 Apr 2009
    Posts:
    110
    Likes Received:
    0
    Another thing to consider is that most pc users have some form of security on their machines where as apple users still have their heads up their arses and have no security so highlighting problems for apple makes good sense(and gives pc users a good laugh)
     
  17. lamboman

    lamboman What's a Dremel?

    Joined:
    25 Jul 2006
    Posts:
    1,509
    Likes Received:
    28
    A vague statement to make. What do you mean by "security"? What form of security specifically?

    Either way, if your statement were true, there wouldn't be such a ridiculous amount of infected Windows systems.

    Furthermore, Windows users have nothing to laugh at. There are still quite a few more threats for Windows PCs, to say the least. Not because Windows is a more insecure platform, merely because there are more users. At the same time, Mac users who claim that their systems are invincible to every threat known to man need to be lined up and shot, frankly.

    All operating systems have vulnerabilities. No point in arguing that one platform is more secure than the other, because there will always be more vulnerabilities found for any platform.

    Finally, a huge proportion of security issues are caused by the user. Stick up a firewall, have some decent anti-malware protection, and most importantly, use some common sense.

    I am by no means a security expert. Quite frankly, anybody could say what I've just said.

    EDIT: I should also add that I would agree that Apple can be slow to issue updates, not just for security issues but for other problems too (take the 2011 iMac's Wi-Fi issues that weren't fixed for 6 months). If they're kicked about enough on the Internet, updates will be issued quicker. However, it shouldn't be like that. This FileVault issue is a "tad" silly...
     
    Last edited: 8 May 2012
  18. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    Apple has now fixed the FileVault bug (along with a few other security holes) in OS X 10.7.4, plus another hole in Safari with 5.1.7. If you're a Mac user, it's time to update.
     
  19. slothy89

    slothy89 MicroModder

    Joined:
    17 Feb 2011
    Posts:
    145
    Likes Received:
    5
    I laugh at all this Windows vs Mac banter! Neither is superior to the other.

    I own both, and know the weaknesses each possess. I cringe when I hear a salesman tell a naive customer that their shiny new iMac doesn't need Internet security, as the days of the secure mac are gone. With more and more clueless consumers buying macs, the concentration of Mac PCs is increasing, whilst the average IT knowledge of mac users dropping. This makes macs a more viable target for malware devs.

    That said, I don't run any fancy security suite on my Windows or Mac PCs as one I don't want to pay, and two from my experience most infections are the result of opening spam emails or downloading fake torrents etc. in other words, lack of common sense. I have not had one issue with malware in the past 5 years of having my own private PC Internet connected.

    Ultimately it is the lump of flesh that tells the shiny box what to do that is the main vulnerability on any system whether it's Windows, Mac, Linux or otherwise.

    Good story!
     
  20. lamboman

    lamboman What's a Dremel?

    Joined:
    25 Jul 2006
    Posts:
    1,509
    Likes Received:
    28
    Couldn't agree more. That said, always worth having anti-virus software just to scan anything that does come in, just in case.
     
Tags: Add Tags

Share This Page