Flaw in Apple’s OS X can expose keychain password

March 2, 2008
by Leslie Poston

apple.jpegApple has struggled with its release of Leopard. The company has been accused most often of releasing an unfinished version just to get it on the shelves. This past month saw a release of the much anticipated Leopard Update 10.5.2, which fixed as many as 76 flaws in Leopard that were causing problems with everything from using the internet to seeing external drives and hearing your speakers.

Now a new problem looms for the rising star: a potential security risk. It seems that a flaw in Leopard can expose your keychain password to anyone who is at your machine if the flaw is left unfixed. how does it happen? It seems that due to a programming snafu the password is stored in the memory of the computer for far longer than is necessary to complete the log in task. That means anyone who can sit in front of your machine may be able to grab your password.

This poses little threat to the home computer user using a desktop in a secure environment. But if you are like me and take your laptop with your everywhere, or like others who have room mates, office mates and other high traffic issues, this could pose a problem. the person who discovered the flaw is unhappy with Apple’s response:

“This is a real problem and it needs to be fixed,” said Jacob Appelbaum, a San Francisco-based programmer who discovered the vulnerability and reported it to Apple. He said he disagreed with the company’s response: “They won’t put it in the latest security update or release a security update just for this issue.”

What makes this such a security concern is the unfettered access it gives the snooper to your keychain. The person stealing your password can see every password and log in that you have stored in your keychain. This means they can steal your identity and pretend to be you anywhere they want online. so far you must turn off your computer and let it reset for a full minute in order to erase the DRAM and remove the passwords from memory. You can also set a firmware password to defeat some of the methods listed below.

Here is a list of access methods to guard against from the white paper Applebaum wrote on the breach last week:

  • Plugging an iPod into a Firewire port to extract the contents of memory
  • Rebooting the computer and running a memory-extractor over the network or from removable media
  • Physically ripping out the DRAM chips and inserting them into another computer

Source

  • Digg
  • Facebook
  • Mixx
  • Reddit
  • Twitter
  • StumbleUpon


Related Posts:

Posted in Apple, Leopard, OS X, Security | 5 Comments » Read more from Leslie Poston

5 Responses to “Flaw in Apple’s OS X can expose keychain password”

  1. AdamC:
    March 3rd, 2008

    An Apple spokesperson told CNET that Apple is aware of the issue, and that it’s “working to fix it in an upcoming software update.”

  2. Oscar Gidas:
    March 3rd, 2008

    Hi Leslie,

    “This past month saw a release of the much anticipated Leopard Update 15.2.1,”

    Not sure what update you were referring to but the latest version of Mac OS X Leopard on my Mac is 10.5.2.

  3. meleah rebeccah:
    March 3rd, 2008

    Yikes.

  4. Sebhelyesfarku:
    March 4th, 2008

    Leopard is a bug-ridden piece of shit.

  5. Leslie Poston:
    March 4th, 2008

    Pardon me – number transposition typo :) Fixing now

Leave a Reply:


Recent stories

Featured stories

RSS Technology news

RSS Windows News

RSS iPhone & Touch

RSS Mobile technology news

RSS Green tech

RSS Buying guides

RSS Gaming news

RSS Photography news

Copyright © 2009 Blorge.com