Apple Patches Wi-Fi Vulnerability
September 22, 2006
Updated: Without admitting there is a "known" exploit, Apple has released new software to prevent drive-by Wi-Fi attacks on all current Macs.
Apple this week released a security content update for its AirPort Wi-Fi, which may bring to a close a two-month firestorm of controversy about not just the so-called Wi-Fi drive-by exploit, but also whether Macintosh computers were truly vulnerable, and whether Apple tried to cover up that fact.
In early August, researchers demonstrated via video tape a potential exploit hackers could use to hijack a computer's Wi-Fi connection. The video (WMV), shown at the Black Hat USA 2006 conference, depicted researcher David Maynor of SecureWorks demonstrating how it worked using an Apple MacBook laptop computer.
The implication that a MacOS X computer could be vulnerable set off a firestorm of controversy, despite the researchers openly doing the demo with a third-party wireless card. However, they also said the exploit would work on just about any computer platform or driver that was not updated.
Indeed, Intel issued new firmware for its Centrino Mobile Platform just before the video debuted, lending credence to the claim. Intel apparently laid the need for the updates at Microsoft's feet, stating, "An attacker could potentially exploit these vulnerabilities which could potentially lead to remote code execution and system control."
The tech blogosphere went crazy over whether this was an exploit that could impact the actual Mac native Wi-Fi drivers. Some on the side of the researchers called the reaction against them an "orchestrated assault." Many pro-Mac camps stated unequivocally that there was no such exploit for native Mac Wi-Fi drivers. Glenn Fleishman, the "unsolicited pundit" behind Wi-Fi Networking News, says those statements weren't made by anyone credible, and that most analysts believe "the class of exploit described was highly probably in all Wi-Fi adapters, because of its nature."
Most of the breakdown probably comes in the confusing way the researchers revealed the exploit to the world commentator Joe Barr called their video "faux disclosure" and how they handled it afterwards, by clamming up. This could be potentially due to business issues, such as a recent merger SecureWorks went through (with LURHQ). That could have gagged the researchers as much as any pressure from Apple's lawyers (another popular theory). Maynor's fellow researcher on this issue, Jon "Johnny Cache" Ellch, made reference on a mailing list in early September to Apple creating a PR smear campaign, but fell short of saying the company sent in the lawyers.
Apple's update covers arbitrary code execution (when a system is taken over) and system crashes caused by attackers through the wireless network. The updates are covered by either AirPort Update 2006-001 or Security Update 2006-005, whichever your system requires, depending on whether it uses an Intel or PowerPC CPU. Manual downloads of the updates are available at Apple Support.
Apple says there are currently no known exploits to these vulnerabilities, that the "drive-by" as demoed by SecureWorks does not impact their systems, and that this release is unrelated.
At the time the video debuted, the researchers said Macs were not immune to the exploit -- but Apple says that to date no evidence has been provided by SecureWorks to back that up, that this firmware release is "pre-emptive," and that it was done after an internal audit of the driver code.
It's possible this audit was prompted by an early approach from SecureWorks. Fleishman says he believes Apple's statement that there's no such exploit.
Maynor and Ellch are going to talk about the exploit again publicly at the end of September at Toorcon 8, but Fleishman doubts they will show any details or code, or that any such thing was provided to Apple.