The recent discovery of a Mac OS security glitch
has triggered "threats" (so to speak) on behalf of Jacob Appelbaum and Adam Boileau (the two guys who've acknowledged the programming flaw), as a response to Apple's and Microsoft's non
-response to the issue. The latter, who's known about the glitch as a Windows threat for eons
, has already made the code available to exploit this vulnerability on his website, as a download.
Appelbaum is prepping to do the same thing. He's "on Apple's side," as
you can imagine, but he's also fed up with the lack of response to the issue on behalf of the Cupertino folks. He's giving Apple three months to act, after which he will make the code available for download too.
"This is a real problem and it needs to be fixed," said Jacob Appelbaum. He disagrees with the company's response saying "they won't put it in the latest security update or release a security update just for this issue." Jacob is a San Francisco-area programmer who discovered the vulnerability and reported it to Apple last month.
Jacob and his team of researchers are also responsible for a paper called "cold boot." It describes "unrelated vulnerabilities in encrypted filesystems," according to C|net, among which Apple's FileVault, Windows Vista's BitLocker and some open-source vulnerabilities are mentioned.
FireWire enabled devices are most vulnerable to the exploit, which can allow hackers to impersonate the real user. The glitch is based on FireWire's ability to directly access the RAM, which holds on to a user's credentials longer than its user thinks it does.
Apple itself has recently confirmed "a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account," according to C|netNews.com (News Blog).
According to Apple, the system becomes most vulnerable after it stores an account password in the computer's memory and keeps it there long after it's needed, all due to a programming error. This means that the respective password can be retrieved at any time, by anyone with "physical" access to that computer, who wishes to impersonate the real user.
Anuj Nayar, senior manager of PR at Apple, stated: "We're aware of this locally exploitable vulnerability, and we're working to fix it in an upcoming software update," as a response to the reported issue last week. For Apple's sake, let's hope it takes less than three months to roll it out.