Passwords are stored in the computer's memory long after they're needed

Feb 29, 2008 08:08 GMT  ·  By

Sure, Macs are pretty much virus-free (plus they come as a whole, seldom crash and they look just great), but a glitch is something no computer or electronic device can escape from. Apple itself has recently confirmed "a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account," according to C|netNews.com (News Blog).

According to Apple, the system becomes most vulnerable after it stores an account password in the computer's memory and keeps it there long after it's needed, all due to a programming error. This means that the respective password can be retrieved at any time, by anyone with "physical" access to that computer, who wishes to impersonate the real user.

"This is a real problem and it needs to be fixed," said Jacob Appelbaum. He disagrees with the company's response saying "they won't put it in the latest security update or release a security update just for this issue." Jacob is a San Francisco-area programmer who discovered the vulnerability and reported it to Apple.

Jacob and his team of researchers are also responsible for a paper called "cold boot", published just last week. It describes "unrelated vulnerabilities in encrypted filesystems," according to C|net, among which Apple's FileVault, Windows Vista's BitLocker, and some open-source vulnerabilities as well.

"We're aware of this locally exploitable vulnerability, and we're working to fix it in an upcoming software update," Anuj Nayar, senior manager of PR at Apple, told the website. "While no operating system can be 100 percent immune, Apple has a great track record of addressing potential vulnerabilities before they can affect users."

Mac owners, and especially those using Keychain, should note that this vulnerability is specific to OS X. The glitch offers full access to your passwords to wireless networks, Web sites, network-mounted volumes, accounts (accessed via SSH) and more, at least in the system's default configuration.