Slashdot Mirror
Apple Patches Wireless Drivers
Frank writes "Apple quietly released a pair of patches today to its wireless drivers. The patches (one for PowerPC, one for Intel) address distinct buffer overflow vulnerabilities found during an internal audit in response to the claim that fuzzing the drivers resulted in an exploitable failure."
For those that like details, here is more specific information on the patch: About the security content of AirPort Update 2006-001 and Security Update 2006-005.
Apple quietly released a pair of patches today to its wireless drivers.
What, you expect them to loudly release a pair of patches? "Hey, everybody, our products have a flaw which allows them to be wirelessly rooted in under a minute! Better apply this patch!!!1!!one!"
Somehow I don't think that would go over too well on Wall Street.
The theory of relativity doesn't work right in Arkansas.
Brian Krebs, at the Washington Post, has some additional background information and comments in his "SecurityFix" blog.
Hell's bells, I can't worry about this trifling matter--I just heard on the radio that this Emerald Ass Borer Beetle is coming to my area. It has to be stopped! I'm going to call my congressman immediately...Doh! Never mind.
I'll let MacWorld say it for me:i ndex.php:
From http://www.macworld.com/news/2006/09/21/wireless/
Apple on Thursday released a Security and AirPort update for Mac OS X that fixes vulnerabilities found in the company's wireless drivers. Apple said the issues found were the result of an internal audit of the software drivers and that no known exploits exist for the issues addressed in this update.
...
Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way.
"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," Apple spokesman, Anuj Nayar, told Macworld. "Today's update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac."
We complain when Microsoft quietly releases patches, why would we ever expect less of Apple?
The new set of "Jeopardy" looks really ugly.
IIRC, a few weeks ago they were adamant that there was no flaw. Seems even darling companies can make mistakes too.
Engineering is the art of compromise.
anyhoo, ON TO THE TROLLING!!!
I was still in High School, I had a big cock and was horny all the time, jerked off at least 3 times a day. My body is small and slim with very little hair, 5"4",125lbs. My fat cut 7" cock looked huge on me. I had been jerking off thinking about gay sex lately, I was very turned on by the fantasy of having sex with an older man, and having a cock in my ass.
I got a job working after school and weekends at a antique shop, it was ran by 2 older gay gentleman, very nice gentleman who were always flirting and teasing me. An older very distinguished looking handsome customer came in the store, he was a silver haired fox who looked like he had money.
The owners knew him well, he bought a small end table and asked the owners if I could help him unload it at his house, I thought this was kind of suspicous since it didn't weigh much but my horniness and curiousity made me jump at the chance. We rode in his SUV to a big house in a ritzy neighborhood and I carried the end table into his house. He gave me a tour, it was huge and very nice, there was an indoor hot tub and he asked me if I wanted to soak for a while, I told him I didn't have a swim suit and he laughed and told me I could go without, he always did.
I was getting turned on so I started to undress, my tank top came off first and my back was turned to him and I pulled down my cutoffs, no underwear and bent over to finish removing my cutoffs, it was a turn on to expose my ass to him, he watched me climb into the hot tub, my cock was rock hard. I watched him take off his shirt, he had a sexy chest covered with silver hair, he pulled down his pants and underwear in one motion exposing a beautiful 8" cut cock, very fat. We sat in the tub for five minutes talking, he asked me if I wanted a massage, I moved over close to him with my back to him and sort of sat on his lap, I could feel that big cock, I started moving my ass around until it was between my cheeks, I moved up and down, it felt so hot, made my asshole spasm. He was rubbing my shoulders and back, he reached around and started massaging my inner thighs making my cock twitch, finally he started stroking my cock, I was so turned on it was all I could do not to cum. He had me stand up and started tonguing my ass while stroking my cock, I was in pleasure overload and exploded cum after about two minutes of this.
We went into his bedroom, still naked and dried off, he put his hands on my shoulders and gently pushed me to my knees, grabbed the back of my head and guided me to his cock. I sucked on it hungrily feeling it get harder in my mouth, when he was rock hard he guided me to the bed and had me lay on my stomach. He ate my ass again this time harder, getting his tongue up inside me, this made my cock hard again, I relaxed and felt my boypussie open up. Next he slowly inserted one of his fingers , it kind of hurt at first but then I started to love the feeling. Two fingers was next with some lube, he two finger fucked me for along time, I loved how it felt, like I was getting stretched. I was moaning and moving my ass up and down.
He stopped and put his big cock back in my mouth, I sucked him for maybe a minute and he pulled out and rolled on a condom, had me get down doggie style got behind me and pushed that big cock head against my tight hole. He slowly pushed, I thought it was to big and would never fit, all of a sudden it popped in, the sensation took my breath away, it felt so huge and it hurt a little, but I was starting to relax and it was feeling better by the second.
He slowly pushed in until he was deep inside me and moved in and out very slowly to start with, it still burned but the thought of getting fucked, having a big cock inside me was such a turn on.
He fucked me for a long time, after I got used to it and fully relaxed the feeling was pure pleasure. My cock was rock hard.
The pace got faster and harder, finally I came again, without even touching my cock, such intense pleasure. He came and stayed inside me, I layed flat on my stomch with him still inside me, he slowly went limp, slipped out of me and rolled off me.
...sailing the sausage seas!
It just sounds exactly the sort of thing politicians do, deny there is ever any problem, quietly legistlate, and then when it comes to an election they can say how wonderful they are at the problem they identified and fixed themselves.
;)
I wonder if Steve is planning on running
I get panics on my MBP, in the same few memory locations, when loading the wifi heavily. For instance, using scp or nfs will trigger a panic within a few minutes. This only happens when the wifi is on; ethernet works fine. I've been waiting to take it in for repair until such a time as Apple A) acknowledges all the other problems (heat, whine) I want fixed on this POS, and B) I can stand to do without my beloved POS for a week or so.
"Apple quietly released..."
It's in Security Update where every other update goes, and a spokesperson even talked with MacWorld about it. What's quiet about the release?
"Sufferin' succotash."
Whadya know? There IS an AirPort update in my Software Update thingy.
"Apple never told me that...I had to hear it from Slashdot."
Sugapablo
..are comments like this:
"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," Apple spokesman, Anuj Nayar, told Macworld. "Today's update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac."
Apple has a lot of money. Billions in fact. Same with Microsoft. Why the hell don't they audit this stuff BEFORE IT'S RELEASED?
"We are open to hearing from security researches on how to improve security..."
Yeah, how about not releasing code with security holes? How about "initiating an audit" before the release date? If it was so easy to find them NOW, why wasn't it easy THEN?
Be an apologist all you like ("But, it's HARD to write secure software! Wahh!") but we're not going to have secure systems unless the bugs are squashed BEFORE being discovered. Am I crazy?
I have a Core 2 Duo laptop with the Intel Wireless chipset. Yesterday I pulled down a "Critical" patch and installed it. It think both Apple and Dell are using the same Intel chipsets, so this is apparently an Intel fix.
Apple has no control over what other people say, including these security "experts." Or are you claiming that Apple has some sort of mysterious mind control it will keep to prevent release of the info? ;-)
David
Luckily not enough people actually use Macs to make exploits worth using.
The one complaint I have about OS X is the way it handles wireless networks. I can't save the password on the keyring unless the the SSID is being broadcast. What the hell is up with that? With XP, it just works. (Kills me to say that, but it's true.) Hopefully they'll fix it in the next version, but I'm guessing they would rather make it easy for AirPort and a pain for linksys.
I know disabling SSID broadcast doesn't really give you much security, but I live in a townhouse. Why make it easy?
Sounds like the Mac d00d caught a cold. Maybe the PC guy can give him a kleenex.
BTW, high priority patches in the Windows world are usually publicized to make sure users patch. I guess since Mac people just blindly assume they are secure, they... um... don't really have to publicize it... so they can remain blissfully exploitable.
Gotta love that "security through obscurity" mentality, especially when ignorant feelings of superiority are thrown in.
Liar, liar, pants on fire.
This is, obviously, Apple's Enterprise-grade Security and Communications teams in action. Bravo!
Scott
"Hokey religions and ancient weapons are no match for a good blaster at your side, kid."
But captain! If we fire the neutron torpedo with enough forward torque to disengage the Klingons, we'll have overheated the hyperspace generator's switchlocking routine!
The heavens do not fall for such a trifle.
You know, I wish I could type perfect code every time, and sometimes I get lucky, but like many, I do rely on feedback from my software. If I misplace a semicolon, the compiler will tell me, and usually it will tell me which line it's on.
This is important. The compiler telling me "Error on line 176: Expected semicolon" or something similar, even if the actual semicolon should go on line 159, is a hell of a lot better than "Whoops! Error SOMEWHERE in your 10k lines of code. Have fun!"
So, someone telling them "Security bug in your wireless driver" is a hell of a lot easier than trying to audit every single line they ever produce, from Xnu to iTunes and everything in between.
And I do agree with you, sort of. Most of these kinds of problems should not happen, and there are, in fact, people who will develop perfectly secure, perfectly stable software for you -- for about twice the cost. So now the question becomes: Pay twice as much for your shiny new MacBook? Or download a patch every couple months? This patch was 1.5 megs, so I'm leaning heavily towards the patch.
Don't thank God, thank a doctor!
CVE-2006-3508 Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution
Description: A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.
CVE-ID: CVE-2006-3509
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7 Impact: Depending upon third-party wireless software in use, attackers on the wireless network may cause crashes or arbitrary code execution
Description: An integer overflow exists in the Airport wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time. If an application is affected, then an attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network. This may cause crashes or lead to arbitrary code execution with the privileges of the user running the application. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issues by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.
...they've probably had a fix for a month but have spent the rest of the time scrambling the executable so you can't "bindiff" them to figure out what has been changed.
Microsoft won't release a patch for a flaw they find themselves until someone else finds it because of the bindiff risk. They typically just fix it in the next OS, which you can't bindiff anyway because they're too different.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Really don't care, They're to busy with Redmond to give a **** about black turtlenecks, and all the smart people are wearing penguin suits with a cute little bow tie...no really, its a chick magnet ;)
-Noc
As always, daringfireball.net has an interesting article on this. And The Macalope chimes in, too, with a link to an article by Glenn Fleishman. Enjoy.
I found the following interesting comment on Brian Krebs blog. I wonder what Slashdotters think about it, as I don't have the expertise to tell if the comment is on the mark. If so, then it seems clear that the Apple update patches something completely different than what Elch (Johnny Cache) described on the DailyDave mailing list:
... After many hours of staring at packet dumps I came to the conclusion that the bug wasn't related to specific bytes/ordering of the packets, but the relative times... The reason this bug takes two cards to exploit is that the race condition you are trying to win seems to be so small that a single card can't win it." http://it.slashdot.org/it/06/09/04/1534252.shtml
... [A]n attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network."
... roughly two months ago". He did not. He wrote about a purported bug that, as we now know thanks to Elch, and as Brian Krebs ought to have known, involves a race condition, not a heap or integer overflow.
Maynard and Elch claimed to have demonstrated there's a bug in the MacBook's wireless drivers.
On September 4th, Elch posted details. Note how he describes the bug:
"There is a race condition inside the centrino driver
Compare that with the description Apple provides of the two bugs it found in the MacBook's wireless drivers.
CVE-ID: CVE-2006-3508 -- "A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network."
CVE-ID: CVE-2006-3509 -- "An integer overflow exists in the Airport wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage
Notice Apple discovered a heap overflow and an integer overflow, not a race condition. The overflows can be exploited by a "maliciously crafted frame". That is, unlike the bug Maynard and Elch claimed to have demonstrated, these two ARE "related to specific bytes/orderings of the packets". And unlike the bug Maynard and Elch claimed to have demonstrated, these two are NOT related to "relative times". Thus, unlike the bug Maynard and Elch claimed to have demonstrated, these two can be exploited WITHOUT using a second card.
So much for the claim that Maynard and Elch have been vindicated by Apple's Security Update.
What about Brain Krebs?
After pointing out that Apple released a patch for wireless drivers, he says "I first wrote about THIS issue [emphasis added]
Krebs goes on to say "Apple and SecureWorks still apparently differ over which side found THE flaw [emphasis added] and how exploitable it really is. But one thing now appears quite clear: The built-in wireless device drivers are indeed vulnerable to exploitation in a manner very similar to what Elch and Maynard detailed in their presentation."
How could Krebs think so if he read Apple's advisories and kept up with whatever public disclosures Maynard and Elch decided to make?
If he didn't read the advisories or missed Elch's public statement, he's either lazy or sloppy or both. If he didn't understand them, he's incompetent. If he did read and understand them, he's a prevaricating. Are there any possibilities I've left out?
As for Maynard and Elch, we still have no independently verifiable evidence of their claim. Maybe they'll provide that kind of evidence tomorrow, or the next day, or maybe next week or next month or next year. Then again, maybe they'll never provide that kind of evidence. Maybe once enough time passes people will forget the bold claim they made, to much fanfare, but without any evidence that can be independently confirmed.
I mean, after all, it's not like Brian Kerbs is ever going to call them on it.
There is. Now pay :-)
Meh. That was a publicity stunt. Doesn't make the articles any less interesting (or any less true :-)
Me like me new patches, Yarg!!!
iPatch
The release date being so close to Talk Like a Pirate Day is purely coincidental.
They have Atheros' cards. Completely different beasts really.
Where is that guy who'd die defending what I had to say when I need him?
12% of new laptop sales isn't enough people?
The "market share" dog don't hunt, coward.
If you mod me down, I shall become more powerful than you could possibly imagine.
I'm just glad Apple is actually finding bugs in their own code and fixing them in a reasonable period of time.
I bought a Macbook Pro recently, and it does still have its share of problems. First of all, it's a new platform for Apple so it's almost bound to have a few issues that they didn't predict. Just because OSX has really been running for years on Intel platform, doesn't mean it's optimized for it yet.
This wireless patch deals with a couple of issues they've found. I installed the patch last night, and I sincerely hope that it does fix the "beachball of death" wireless issue that seems to have hit a fair number of MBP owners myself included. The wireless is pretty damned good, the antenna in the machine is significantly better than my other Dell laptop. However, it's not perfect, and it's known to cause problems in the right (wrong?) circumstances. I can't nail down precisely what those circumstances are, but it will freeze Finder with SBOD problems. Thankfully, EscapePod comes to the rescue for me or it would be that big fat power button of death for my MBP.
I reiterate... I am a Mac owner and I'm proud to say that Apple is at least proactively fixing their code. Secureworks identified one problem, Apple fixed three. That speaks volumes to me about how serious Apple are about squashing bugs.
So . . . now that Apple has patched the code, why doesn't secureworks demonstrate their exploit with an unpatched Apple MacBook? Can they? It seems an easy test. If they have an exploit, show it. The code is fixed.
Stop. You are misinformed. The second item in the announcement, CVE-2006-3509, is for the Atheros driver. The third is for Apple's API on the same computers. We don't know if an exploit exists, and we don't know where the flaw might be if it does exist. We don't even know if it's patched, because Apple has said SecureWorks was not working with them. So, rather than recklessly speculate with the incomplete information available to us, let's see what Maynor and Ellch have to say about their possible exploit:
"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook."
Still no exploit... still waiting for one...
Controlling complexity is the essence of computer programming. -Brian Kernigan
Up and running, and ridiculously crackable. Seriously, it takes seconds to get into your network, and there are LOTS of script kiddie tools available. Do yourself the favor and upgrade to WPA. Where I lived last year there weren't even more than 5 computers in reach of my D-Link (working-class district, almost no computers) and even there I had someone in my network when I still used WEP. I didn't care too much as it was clear who it was, and putting the goatse.exe on his Windoze box and printing out some of his p0rn while he was at work was great fun. But where I live now (downtown), I wouldn't touch WEP with a ten foot pole.
Who is General Failure and why is he reading my hard disk?