Don't trust on Apple Inc with Mozilla Products
This morning, I had received this alert from Mozilla Foundation about my Apple Product. Bad bad idea to trust on Apple Inc.
Security researcher Kent Howard reported an Apple issue present in OS X 10.10 (Yosemite) where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X from versions 10.6 through 10.9, the CoreGraphics had this logging ability but it was turned off by default. In OS X 10.10, this logging was turned on by default for some applications that use a custom memory allocator, such as jemalloc, because of an initialization bug in the framework. This issue has been addressed in Mozilla products by explicitly turning off the framework’s logging of input events. On vulnerable systems, this issue can result in private data such as usernames, passwords, and other inputed data being saved to a log file on the local system.
I have check my MacBook Pro and the following views confirmed all informations.
It’s fixed now on(December 12th 2014)
- Firefox 34
- Firefox ESR 31.3
- Thunderbird 31.3
- jemalloc poisoning plus Apple uninitialized variable usage triggers keylogging in /tmp/ on OSX 10.10 (CVE-2014-1595) (Warning you need an account for see this link)