Download OS X Lion 10.7.4, Fixes FileVault Vulnerability
Apple has released OS X Lion 10.7.4 update that features a number of security fixes, general improvements and Safari browser update. If you’re running OS X Lion 10.7.3 or earlier, just run the Software Update app and download 10.7.4 update.
With the latest update the Cupertino company have fixed the FileVault vulnerability, which left users’ FileVault passwords stored outside of encryption in easy to read plain text. Before you start worrying, not every OS X user is having this issue. This issue only occurs if an OS X user have upgraded from a previous installation of Snow Leopard to Lion. If your Mac came installed with OS X Lion as standard, then your Mac is safe from this issue.
Security researcher David Emery explains that, “Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process’s HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (“legacy Filevault”).”
He further explains that, “This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for.”
So, in plain english, if you’ve upgraded from Snow Leopard to Lion and was using legacy FileVault, you should definitely update OS X Lion to 10.7.4.
OS X Lion 10.7.4 update includes a new version of the Safari browser, version 5.1.6, which has stability improvements. Another small bug fixed in this update is the frustrating issue of having “Reopen windows when logging back in” setting always enabled.
Other than the above fixes, the official update change-log lists the following fixes:
- Improve compatibility with certain British third-party USB keyboards.
- Addresses permission issues that may be caused if you use the Get Info inspector function “Apply to enclosed items…” on your home directory.
- Improve Internet sharing of PPPoE connections.
- Improve using a proxy auto-configuration (PAC) file.
- Address an issue that may prevent files from being saved to an SMB server.
- Improve printing to an SMB print queue.
- Improve performance when connecting to a WebDAV server.
- Enable automatic login for NIS accounts.
- Include RAW image compatibility for additional digital cameras.
- Improve the reliability of binding and logging into Active Directory accounts.
As clear from the official documented change-log, 10.7.4 mainly focuses on improvements over the various aspects of the operating system. For detailed information and an extensive list of the changes, users can head on over to the official Apple support page or check out the security content of the update.