Mac Wireless driver Security vulnerability revisited
A couple weeks ago the hot story was about the demonstration of a vulnerability in a 3rd party wireless card driver on a Mac. The individuals that demonstrated the vulnerability (in a video taped presentation) also claimed that many wireless drivers were vulnerable to this same flaw and it included the MacBook native drivers (among others.) There was immediate controversy over the fact it was a video demo. I thought their explanation for that was reasonable. (They didn’t want to give a room full of crackers a chance to sniff the wireless traffic and get TOO much detail on the exploit before vendors had a good chance to give updates.) Well… at this point it sounds like among other things, they have not yet demonstrated to Apple an effective use of this exploit against the wireless drivers on the macbook.
It seems that Apple has strongly refuted their claims and frankly it’s sounding more and more as though there was a good deal of “smoke and mirrors”. According to the latest update, Atheros (the company that provides the wireless device for the macbooks) hasn’t been notified of any issues either.
Apparently earlier in the year, SecureWorks (the company that presented the supposed vulnerability) had alerted Apple to a wireless vulnerability in the FreeBSD system (which OS X is based on) which related to a vulnerability in the discovery of wireless networks. It’s unclear if that patch had been made in Apple’s OS X.
This really sums it up…
“SecureWorks has not be able to exploit this for us,” Fox said. “No one has been able to show us a way to exploit our internal [wireless] device drviers with that flaw.”
–Update 8/24/06–
It seems the blogstorm over this has not quit. Some are REALLY giving Brian Krebs a hard time over what he reported. Many are jumping to conclusions fairly quickly. George Ou is following some of the “debate”. (Earlier post at this link.) It’s clear from his article that there are things that aren’t publicly known YET. It will be interesting to see how things develop. It sounds as though the situation will hang around a while. The research group that presented the vulnerability apparently didn’t share any code with Apple over the issue, but the way I read it – it is quite likely that Apple’s driver is vulnerable to a similar issue, JUST AS THEY TOLD BRIAN KREBS.
It sounds like the next few days may see some real sparks flying on this story. (Up until now, we’ve only got the “shock and outrage” over the “admission” that it wasn’t an Apple vulnerability…..) Just wait and prepare to read (and think it through), this will be interesting.
Popularity: 1% [?]
Related Posts - Network Security guide for the home or small business network - Part 14 - Alternative software There are ways that risks can be avoided. Recently, there was what was called a zero-day exploit for Internet Explorer. As I write this, the exploit surfaced 3 weeks ago and tomorrow there will be a patch. The vulnerability would allow remote code execution through a vulnerability in the way......
- Microsoft security roundup OK - there have been a number of Excel problems floating around in the last week - week and a half. Securiteam blog has a FAQ on the Excel 0-day vulnerabilities with Excel and Excel Viewer Incidents.org kindly gives us a scoresheet documenting the three different vulnerabilities that have been......
- Another update on the 0day Explorer exploit Well, it looks like quite a bit took place while I was out on the "zero day exploit front". It looks as though there is another update at The Sans Institute. The first thing to notice is that they've raised their alert level to Yellow over the impending active exploitation......
Related Websites - Adobe confirms PDF zero-day, plans rush patch By Gregg Keizer | Computerworld | InfoWorld Adobe today said it would issue an emergency patch the week of Aug. 16 to fix a critical flaw in its Reader and Acrobat software. The bug was disclosed by researcher Charlie Miller at last month's Black Hat security conference when he demonstrated how......
- Atlanta Tennis Championship Ends with Mardy Fish on Top Many of the best tennis players in the nation descended on Atlanta like they do every year. They come to play in the Atlanta Tennis Championship. This tournament was able to provide a great show of some great tennis skills by some of the most known names in tennis today.......
- Delaying Social Security after Stopping Work Some baby boomers are asking the question of what happens to their Social Security retirement benefits if they stop working but do not claim benefits until later. The answer to that question depends on how many working years you have in the system. Your Social Security retirement benefit is based on......
Similar Posts
- Apple Macbook pro and other wireless fixes
- Wireless Driver Vulnerabilities
- Microsoft’s speed to get security patches out
- Huge Spam Operation Shut Down Thanks to TheSecurityFix
- Apple Quicktime and OS X updates to patch multiple security vulnerabilities