Massive Apple Security Update Locks Out PGP Users

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

PGP customers are being warned not to apply Apple’s mammoth security update for Mac OS X, after it locked users out of their computers

The mammoth security update from Apple has plugged more than 130 Mac OS X security holes, but the company is facing the wrath of some of its users who utilise PGP Whole Disk Encryption, after they found themselves locked out of their computers, following the update.

Wednesday, customers of PGP, now a division at Symantec, reported being unable to boot their computers after upgrading to Mac OS X 10.6.5.

Later that day, PGP posted a warning to its customers using Mac Whole Disk Encryption (MAC WDE) urging them not to upgrade.

Bricked Computers

In a statement today, Symantec explained to eWEEK that the Apple update released a new version of the boot.efi file that overwrites the previous edition of the file used by PGP Whole Disk Encryption. As a result, the user’s machine skips the pre-boot authentication step, effectively preventing the disk from being unlocked prior to boot. The data on the disk however is still recoverable, the company said.

“If the update to OS X 10.6.5 has already been made and the machine fails to boot, the data on the machine is not lost,” according to Symantec. “The system can be restored using the PGP Recovery CD. Instructions can be found in this Knowledgebase Article.”

“This appears to be the first time Apple has modified boot.efi in a minor update, and Symantec is adjusting test procedures accordingly to help avoid this issue in the future,” the company added.

Apple Security Update

Details on Apple’s massive update are available here. Fifty-five of the bugs patched by Apple actually were in a non-Apple product – Adobe Flash Player – which in a way could add ammunition to the public war of the words that has waged between Adobe Systems and Apple during the past several months. A few weeks ago, Apple MacBook Air shipped without Flash.

“Apple provides its own version of the Flash plug-in, and dropping the need to update it shifts the responsibility to Adobe, and frees Apple from having to worry about these flaws, and from providing them in security updates,” said Peter James, global spokesperson for Mac-focused security company Intego.

Besides Flash, the other fixes span a variety of areas, including 16 patches for X11, Apple’s implementation of the X Window System that makes it possible to run X11-based applications in Mac OS X. Nine other fixes impact QuickTime – all of which could be used to run arbitrary code if successful exploited.

“Many of the flaws fixed are quite serious: there is a file sharing flaw, a couple of PDF bugs, and a large number of QuickTime vulnerabilities that are fixed in this update,” James said.