Mac security glitch

Article: http://www.news.com/8301-10784_3-9881870-7.html

As much as I love Apple, even they have their problems...the latest being a security glitch on Mac OS X 10.5 (Leopard) that gives unauthorized users access to the password of the active user account on a Mac. The problem is that once a user logs in, the account password is stored in memory too long (rather than being erased immediately after login is complete), which enables it to be retrieved by an unauthorized person. For example: I could sit in class, log on to my computer, get up to go to the restroom, and someone could retrieve my password from my computer while I'm gone. Then if that person were left alone with my computer, they could log on under my name and do all sorts of damage.

As an owner of a PowerBook, I see this as a serious problem for several reasons. The most obvious reason is that someone can steal a user's password and log in under their user name and impersonate that user. The impersonator would have access to the user's files, some of which may be confidential. But secondly, and perhaps more importantly, if an unauthorized person logs in under that user name, they have access to that user's Keychain, the Mac utility that stores passwords to web sites, wireless networks, and the like. This means that the hacker not only has access to files on the user's computer, but may also be able to access remote information hosted elsewhere. This can be very dangerous.

A programmer in California was the one who reported the problem to Apple, and Apple responded that they would not release a security update just for this issue. So far, Leopard has been Apple's most problematic OS release...and the fact that they will not include a fix to this problem in a timely update surprises me.