Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account.
The vulnerability arises out of a programming error that stores the account password in the computer's memory long after it's needed, meaning it can be retrieved and used to log into the computer and impersonate the user.
"This is a real problem and it needs to be fixed," said Jacob Appelbaum, a San Francisco-based programmer who discovered the vulnerability and reported it to Apple. He said he disagreed with the company's response: "They won't put it in the latest security update or release a security update just for this issue."
Appelbaum is one of the team of researchers who published a "cold boot" paper last week describing unrelated vulnerabilities in encrypted filesystems, including Apple's FileVault, Windows Vista's BitLocker, and a number of open-source ones.
Unlike the security concerns reported last week, this vulnerability is specific to OS X. It's also more sweeping because it offers -- at least in OS X's default configuration -- full access to passwords stored in the Keychain, which can include passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, and so on.
Apple spokesman Anuj Nayar said: "We're aware of this locally exploitable vulnerability, and we're working to fix it in an upcoming software update. While no operating system can be 100 percent immune, Apple has a great track record of addressing potential vulnerabilities before they can affect users."
The security glitch works like this: The OS X subsystem that asks for a username and password to log into an account is, reasonably enough, called loginwindow.app. In the default configuration, the account password unlocks the user's keychain and the encrypted FileVault volume (if one is in use).
But instead of immediately erasing the password from memory once the unlocking process is complete, OS X keeps it around. That means someone with physical access to the computer can use multiple methods to extract the contents of the computer's DRAM chips.
Last week's paper described some of those techniques. They include: plugging an iPod into a Firewire port to extract the contents of memory, rebooting the computer and running a memory-extractor over the network or from removable media, or physically ripping out the DRAM chips and inserting them into another computer. (Setting a firmware password can guard against the rebooting-attack threat.)
Turning off your computer and waiting a minute or more protects you from this attack by giving the contents of DRAM time to decay.
Although it's possible that the password stays in RAM even after the user logs out -- which would be even more dangerous -- Appelbaum hasn't tested that theory.
So, all I have to do is perform this simple process with my iPod on a few thousand Macs without their users knowing and (if i knew how) could create a Mac bot army!!!!! Along with siphoning off millions of dollars into my personal bank accounts, gaining access to gigabytes of wireless traffic, stealing reams of sensitive documents - the possibilities are positively endless.
I could do this... or just bring my OSX disk with me and have access to root.