Slashdot Mirror
Apple Patches Wireless Drivers
Frank writes "Apple quietly released a pair of patches today to its wireless drivers. The patches (one for PowerPC, one for Intel) address distinct buffer overflow vulnerabilities found during an internal audit in response to the claim that fuzzing the drivers resulted in an exploitable failure."
I think that's a bit harsh. And since I know both my neighbors and they're both developers who I'd trust with my network, and they're both over 200' away, I could give a flying rat's ass anyway.And if Wall Street gave f**** about network security Microsoft would be trading at $1/share.
The revolution will NOT be televised.
IIRC, a few weeks ago they were adamant that there was no flaw. Seems even darling companies can make mistakes too.
Engineering is the art of compromise.
We complain when Microsoft quietly releases patches, why would we ever expect less of Apple?
Because Linux' security-fixes (about weekly since the flawed AOL-desktop-OS 2.6.* kernel-series) are always loudly announced, right?
Fucking hipocrisy.
Fucking hipocrisy
Welcome to Slashdot.
It just sounds exactly the sort of thing politicians do, deny there is ever any problem, quietly legistlate, and then when it comes to an election they can say how wonderful they are at the problem they identified and fixed themselves.
;)
I wonder if Steve is planning on running
So now we should give credit to companies for announcing that there could be unspecified vulnerabilities in components!? Oooh. Oooh. There could be a vulnerability in Windows Vista's USB drivers! But I'm not going to say what it is! But now they have to credit me every time one is discovered and released!
90% of the driver code processes wireless frames. Saying that there is a vulnerability in the wireless driver when processing malicious frames provides zero information on an actual vulnerability.
"Apple quietly released..."
It's in Security Update where every other update goes, and a spokesperson even talked with MacWorld about it. What's quiet about the release?
"Sufferin' succotash."
Why would that be the thing SecureWorks claimed they found?
It's trivial to catch Apple out - they can just release the communications they sent now that Apple have patched the drivers, and easily show Apple are lying when they said "They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit."
Let's hear from SecureWorks now. Unless... this is a different issue... and Apple aren't lying in such as easily provable way.
Luckily not enough people actually use Macs to make exploits worth using.
The one complaint I have about OS X is the way it handles wireless networks. I can't save the password on the keyring unless the the SSID is being broadcast. What the hell is up with that? With XP, it just works. (Kills me to say that, but it's true.) Hopefully they'll fix it in the next version, but I'm guessing they would rather make it easy for AirPort and a pain for linksys.
I know disabling SSID broadcast doesn't really give you much security, but I live in a townhouse. Why make it easy?
Am I crazy?
To a degree yes. You, nor anyone else in the world is willing to pay what it costs for a fully secure system. It costs money, but more than that it costs time, and people don't want to wait. It is possible to design perfect and bug free software with no defects or attack vectors, but the costs and time associated with it would put it out of the price range of even the most succesful of corporations. And in the end, it would be worthless because it would be outdated by the time you released it. So people want it now, which means not testing for some of the more fringe cases. They also want it cheaper which means leaving out more testing. Witness the computers of today vs the ones of yesteryear. Many computers years ago were built to last, in part because they were expensive enough that a company needed to make them a good investment. These days no one has the stomach to pay for a $5,000 personal computer, even if it means better build quality. They want the latest, the greatest, and they want it now. Software is the same way. We want the latest and the greatest and we want it now, to hell with perfection we can iron the bugs out later.
T Money
World Domination with a plastic spoon since 1984
So let's say you accomplish near-perfection in your code, and you have 1 bug in the entire program. Now, put that program on an operating system, made up of thousands of other binaries, each with only *1* bug in them. Individually, each one of those binaries is nearly perfect. Taken all together, you have a buggy, quirky, unpredictable system of interactions. So do you not release your software until everybody else in the universe also gets theirs right?
Or do you just do the reasonable thing -- release it when it's "okay" so people can use it, and continue improving it via some patching or update process?
Speaking as someone who did five years at Apple, the company certainly does audit stuff before it's released -- particularly network and filesystem code. Patches and bugfixes also tend to get code-reviewed right inside the bug report by several people outside of the core group with good security experience, and reviewed again before they make it into a release. The main problem is that there are so many lines of code and only a finite amount of time, and the more subtle problems take longer to detect. There is a cost-to-profit tradeoff after a certain point.
It's like microwave popcorn. You nuke it and in the first few minutes you can get almost all of the kernels (exploits) popped. Then the rate of popping slows down. After a while, you simply have to stop or else you'll burn right through your profit (of warm, yummy popped corn).
And that's just not worth it. No matter what there will always be a few hiding way down in the bottom of the bag. You can burn through the whole thing and still never pop them all.
...they've probably had a fix for a month but have spent the rest of the time scrambling the executable so you can't "bindiff" them to figure out what has been changed.
Microsoft won't release a patch for a flaw they find themselves until someone else finds it because of the bindiff risk. They typically just fix it in the next OS, which you can't bindiff anyway because they're too different.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
So . . . now that Apple has patched the code, why doesn't secureworks demonstrate their exploit with an unpatched Apple MacBook? Can they? It seems an easy test. If they have an exploit, show it. The code is fixed.