Apple Patches Wireless Drivers

Frank writes "Apple quietly released a pair of patches today to its wireless drivers. The patches (one for PowerPC, one for Intel) address distinct buffer overflow vulnerabilities found during an internal audit in response to the claim that fuzzing the drivers resulted in an exploitable failure."

Details

[Lord+Grey]

For those that like details, here is more specific information on the patch: About the security content of AirPort Update 2006-001 and Security Update 2006-005.

erhm

[User+956]

Apple quietly released a pair of patches today to its wireless drivers.

What, you expect them to loudly release a pair of patches? "Hey, everybody, our products have a flaw which allows them to be wirelessly rooted in under a minute! Better apply this patch!!!1!!one!"

Somehow I don't think that would go over too well on Wall Street.

Re:erhm

[Mikachu]

That's what microsoft does :P

Re:erhm

[bobalu]

I think that's a bit harsh. And since I know both my neighbors and they're both developers who I'd trust with my network, and they're both over 200' away, I could give a flying rat's ass anyway.And if Wall Street gave f**** about network security Microsoft would be trading at $1/share.

Additional background info

[richg74]

Brian Krebs, at the Washington Post, has some additional background information and comments in his "SecurityFix" blog.

Re:Additional background info

[Jeff+DeMaagd]

The problem with the whole story is that David Maynor was saying it was the Intel drivers that was at fault, which is an interesting problem because Apple's current notebooks use Aetheros wireless chips.

Re:Additional background info

[Sancho]

The problem is that nobody gets the story right.

Maynor and Cache said that similar flaws existed on many platforms. They said that Intel's drivers had the flaw, and that it was funny that Intel had released a new driver version a week before Black Hat. They also said that the flaw was exploitable on the MacBook using the third-party device and drivers. And they also said that the flaw was exploitable on the Airport with Apple's own drivers.

Now I don't know who to believe in this--both parties have a stake in it (Apple with their reputation as having a 'secure' platform, and Maynor/Cache have their reputations as security consultants). They are on opposing sides, and honestly, Maynor/Cache's statements are a little weaker since they still have not publicly demonstrated the vulnerability on anything but third-party Intel Macbook hardware. Nevertheless, it seems like almost no one writes the whole story (hell, I've probably missed a lot of it, but at least I'm not making allegations regarding anyone's character, here) and makes wild, flaming allegations about how "Maynor's full of shit because they didn't even USE an Apple card" (which, of course, was stated very clearly in the video, had anyone bothered to watch it) or your statement, which completely misses the fact that they claimed that the vulnerability was exploitable using Apple 1st party hardware.

This does NOT make the SecureWorks story true!

[macmaxbh]

I'll let MacWorld say it for me:
From http://www.macworld.com/news/2006/09/21/wireless/i ndex.php:
Apple on Thursday released a Security and AirPort update for Mac OS X that fixes vulnerabilities found in the company's wireless drivers. Apple said the issues found were the result of an internal audit of the software drivers and that no known exploits exist for the issues addressed in this update.
...
Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way.
"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," Apple spokesman, Anuj Nayar, told Macworld. "Today's update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac."

Re:This does NOT make the SecureWorks story true!

So now we should give credit to companies for announcing that there could be unspecified vulnerabilities in components!? Oooh. Oooh. There could be a vulnerability in Windows Vista's USB drivers! But I'm not going to say what it is! But now they have to credit me every time one is discovered and released!

90% of the driver code processes wireless frames. Saying that there is a vulnerability in the wireless driver when processing malicious frames provides zero information on an actual vulnerability.

Re:This does NOT make the SecureWorks story true!

[GaryPatterson]

Why would that be the thing SecureWorks claimed they found?

It's trivial to catch Apple out - they can just release the communications they sent now that Apple have patched the drivers, and easily show Apple are lying when they said "They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit."

Let's hear from SecureWorks now. Unless... this is a different issue... and Apple aren't lying in such as easily provable way.

Re:This does NOT make the SecureWorks story true!

[Morphine007]

Oh come off it... in a 1492 bit packet, let's say 1500 bit for convenience sake there's only 1500^2 possible combinations of bits to look at...er... wait...fuck.... that's bytes isn't it? So it'd be 1500^8 eh?... bah... fuck it... yer a smart cat... I'm sure you'll figure it out...

Re:This does NOT make the SecureWorks story true!

[Ilgaz]

I like Macworld, trust them on product reviews but their apologising (?) for Apple is a fanboy response not suitable for a independent, professional publication.

Also the Mac community who keeps attacking the messenger started to bug me seriously as a Mac user who is concerned about own security.

I own a Quad G5, do my entire work on Macs, there is no PC around and while posting to Apple stories, I unclick "No Karma Bonus" since I know what will happen. Mac zealots are the biggest security risk to OS X/Macintosh. In fact first real virus/trojan/worm strange thing (Oompa) coding lamer openly admitted that he coded it just to give "Maccies" a lesson.

Think about it.

Re:This does NOT make the SecureWorks story true!

[Morphine007]

yer absolutely right *hangs head in shame* ... it was meant to be a joke... /sigh

Re:This does NOT make the SecureWorks story true!

[mstone]

And just as a piece of related trivia, in _Applied Cryptography_, Bruce Schneier runs the numbers on the minimum amount of energy necessary to represent one bit of information at the quantum level, divides that into the current best estimate for the total energy of the universe, and shows that there isn't enough energy in the universe to completely clock (i.e.: start at zero and increment by one until you overflow and drop back to zero again) a 512-bit counter.

(BTW - multiple exponentiation multiplies the exponents: 2^8^1500 == 2^(8 * 1500) == 2^12,000)

There's no flaw, but heres a patch anyway

[EmbeddedJanitor]

IIRC, a few weeks ago they were adamant that there was no flaw. Seems even darling companies can make mistakes too.

Re:There's no flaw, but heres a patch anyway

[Rosyna]

The "flaw" that SecureWorks reported did not exist. Apple wasn't told what the flaw was or really any details about it, and like a responsible company, audited all relevant code irregardless. They found three potential *crashers*. These may be impossible crashers, as in the requirements to get to that section of code means it is impossible for the data to be invalid, but they added an error check "just in case".

The problem is now days everyone considers a crasher to be a security exploit, even if it can't be used to run any code.

But none of these are what the SecureWorks guys "reportedly" found. Either way, they definitely and without a doubt lied on that video. The device they attached was not a wireless device seen by the system at all. The SecureWorks guys never even stated anything, other than the community didn't have the mental capacity to understand what the exploit was.

They also said they would not release details until Apple fixed it. So I assume they'll now put up or shut up. It really all looks like a publicity stunt to sell their upcoming book.

Re:There's no flaw, but heres a patch anyway

[gabebear]

The flaw announced by SecureWorks was supposedly in a third-party wireless driver for MacOS, not Airport. The article says SecureWorks never gave any proof of a flaw in Apple's drivers, but that they audited them because of SecureWorks announcement and that these patches are the result.

Apple is still adamant that SecureWorks didn't find any flaws.

Re:There's no flaw, but heres a patch anyway

[martinbogo]

Actually .. there *IS* a flaw, as stated by Apple in the release, that does exactly what the SecureWorks people stated.

From the security release:

CVE-ID: CVE-2006-3507

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7

Impact: Attackers on the wireless network may cause arbitrary code execution

Description: Two separate stack buffer overflows exist in the AirPort wireless driver's handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges. This issue affects Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue. This update addresses the issues by performing additional validation of wireless frames.

Re:There's no flaw, but heres a patch anyway

[Durandal64]

Sorry, but you don't remember correctly. Apple stated that SecureWorks had not demonstrated any vulnerability in the AirPort drivers to them. As far as anyone knows, this is true. The SecureWorks people never owned a MacBook through exploiting AirPort drivers.

Re:There's no flaw, but heres a patch anyway

The problem is now days everyone considers a crasher to be a security exploit, even if it can't be used to run any code.

The real problem these days is that crashers which nobody ever thought could be used to run code have been cleverly exploited.

First it was just stack buffer overflows.

Then some clever person figured out how to exploit seemingly-unexploitable heap overflows.

Then it was double-frees and dangling pointers.

The claimed wifi driver exploit is supposedly a fancy timing attack which hits a race condition in the driver.

The simple fact is that most crashers can be exploited, and assuming they can't be exploited just because you can't think of the technique is a terrible idea.

Re:There's no flaw, but heres a patch anyway

[Drishmung]

The SecureWorks people claimed to have compromised a MacBook. That is, an Intel based machine.

But, as you quote:

Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected

IOW, this is evidently not the same vulnerability claimed by SecureWorks.

Stumulated by the brouhaha, Apple have performed a code audit. (I'd suspect they did a remarkably thorough code audit too :) They have found some problems with the PPC drivers, and they have released a patch for them. They don't appear to have found any issues with the Intel code though.

Re:There's no flaw, but heres a patch anyway

[catwh0re]

"Apple is still adamant that SecureWorks didn't find any flaws."

I believe just about everyone is adamant that SecureWorks didn't find any flaws.

Since their initial statement which was launched on digg with a title that read something similar to: "Own a macbook in under 60 seconds". They have claimed the following:
- Fault works on macbooks and most other wireless hardware, platform independent.
- Apple had muscled them into not demonstrating it on apple hardware, instead 3rd party hardware.
- They had informed Apple and other companies of the fault, gave the required details and instructions.
- Will demonstrate the flaw on video as to protect the packets from being sniffed.

Now since the demonstration of the video the following has come out of the woodwork
- These updates do not patch intel based macs such as the macbook.. nor do they patch anything described by SecureWorks
- Apple had never spoken with SecureWorks or it's employees about the "flaws" before the blackhat conference.
- SecureWorks have not informed Apple or any other company of the flaws or gave required details to reproduce them.
- The demonstration on video has been dubious and clearly shows 3rd party hardware being used, with there being no proof that this is a wireless flaw or just a hoax.
- SecureWorks has gone mostly silent on the issue, and have changed their story several times, they have never released details to validate -any- of their claims.

The whole thing has been a terrible farse with the perpetrators reeling into hiding after realising that this is something which the public would want proven and not just take their word for it.

No one expects any platform to be 100% secure, but when you find a fault, particularly one as interesting as a remote wireless hack, you will instantly have a huge audience wanting it proven and demonstrated, they deserve being outcast like they have. Their methods are being publicy dealt with in the same way that a disgraced scientist would be.

Re:There's no flaw, but heres a patch anyway

[catwh0re]

Just to correct the above, of the new patches (3 of them) only some are for the intel macs and some are for the ppc macs. Different flaws exist on different hardware configurations, one requiring 3rd party devices also.

Re:There's no flaw, but heres a patch anyway

[epee1221]

IOW, this is evidently not the same vulnerability claimed by SecureWorks. Stumulated by the brouhaha, Apple have performed a code audit. (I'd suspect they did a remarkably thorough code audit too :) They have found some problems with the PPC drivers, and they have released a patch for them. They don't appear to have found any issues with the Intel code though.

Very true. I wonder why they didn't catch the code said to be responsible for Johnny Cache's exploit. Maybe that's because it's Atheros' driver code, not Apple's. Remember, everybody, they exploited an Atheros card -- an Atheros chipset running Atheros drivers. It's more or less abstracted away from the OS interacting with the card.

Re:There's no flaw, but heres a patch anyway

[powermacx]

You highlighted the wrong part. Let me fix that for you:

Impact: Attackers on the wireless network may cause arbitrary code execution Description: Two separate stack buffer overflows exist in the AirPort wireless driver's handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges. This issue affects Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue. This update addresses the issues by performing additional validation of wireless frames.

The same "no know exploit for this issue" line is on the other two CVEs. So, Apple is saying the the claim made by the SecureWorks guys to Krebs ("the same exploit works on the internal Airport card") is a BIG FAT LIE: they did not have an exploit or if they did, they lied when they said they had shared the details with Apple.

Re:There's no flaw, but heres a patch anyway

There is no known exploit for this issue.

This is like most "exploits." You find a crash situation, it's some overflow of somekind, you wouldn't seg fault other wise. Everyone freaks out, it might be possible to run arbitrary code, it might not be. OpenSSL had a fairly famous one about 3 years ago, the ASN.1 decoder had a crash when you put corrupt certificates in to it, at best it was a type of DoS situation and to this day nobody has ever run arbitrary code with it.

This secureworks thing is the very worst kind of "security" out there. Thing is, just about all code of a certain size has flaws. This includes drivers. Potentially, a defect in a driver is really bad, it's trusted code that executes usually in ring-1 or ring-0. These most likely won't be the last security fixes Apple puts in to their wireless drivers, it's enough code and big enough that there will be more bugs that are found.

Now I've written more and a couple wireless drivers myself and I happen to know that there is next to no way that the secureworks "exploit" works like they claim. I'd be a lot more willing to believe it if they explained that it was a microcode flaw they found or if the device was already associated with something. Some chips, like the Atheros, have a firmware that pretty much does everything and you write not a lot more than an ethernet driver on top of it and you can have wireless, you do another layer of stuff to control some of the tweakables (channel, b or g, etc.. but those are fairly static values you poke in to registers) their firmware will do WPA, WEP, all that crap. So their microcode engine isn't your normal microprocessor, crafting code for it, enough code to associate or send arbitrary packets is an impressive task. It's also rtos based, with no memory allocation, static buffers, and while it's possible that there are some overflows, I think it's pretty unlikely. It seems very believable that you could jam crappy frames in and cause it to hang or drop them in some way but overflow with enough code space to arbitrarily establish a connection to a remote machine? It's also a long way off from the OS. Crafting some frames that cause the OS to start doing that is almost more impressive, I think it's a lower hanging fruit in many ways but you have to trick the whole stack, there are checks along the way, does the OS think it's a raw socket? That never got constructed? It can't be going through the IP stack, data will get dropped at numerous places, not the least of which would be routing. If they crashed the microcode, color me stupid, but I don't see how that get's you to a userspace process or even close to it. There are a lot of things they could reveal about it if they have a real exploit that wouldn't completely reveal the hardware in question. But let's look at that too, how many 3rd party wireless parts are their for MacOSX? 2 or 3?

Re:There's no flaw, but heres a patch anyway

[Sancho]

So, Apple is saying the the claim made by the SecureWorks guys to Krebs ("the same exploit works on the internal Airport card") is a BIG FAT LIE: they did not have an exploit or if they did, they lied when they said they had shared the details with Apple.

This is what Apple has been saying all along. This is not a change, not news, and certainly not any further proof that they are telling the truth (i.e. there's really no way to know whether or not Maynor /actually/ talked to them or not).

Re:There's no flaw, but heres a patch anyway

[dragonman97]

AirPort

CVE-ID: CVE-2006-3508

Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

Impact: Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution

Description: A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.

It sure looks like it affects Intel-based Apple laptops to me. I don't buy the spin - I think it's quite likely the SecureWorks guys are right...and if they're wrong, well then these computers are just more secure. That sounds like a /really bad thing/ to me.

Re:There's no flaw, but heres a patch anyway

[Haiku+4+U]

I don't understand
what you mean. All I see is
a blank spot in quotes.

Re:There's no flaw, but heres a patch anyway

[Saint+Fnordius]

Rather, Apple is adamant in stating that SecureWorks never contacted them. This is important because SecureWorks tried to make it look like they told Apple, but Apple leaned on them to hush it up.

I'm with John Gruber of Daring Fireball on this: my money is on Apple telling the truth. The risks of them getting spanked should it be a lie are too high, and the number of times security companies pull stunts to drum up business doesn't look good for SecureWorks.

Re:There's no flaw, but heres a patch anyway

[powermacx]

This is what Apple has been saying all along. This is not a change, not news, and certainly not any further proof that they are telling the truth (i.e. there's really no way to know whether or not Maynor /actually/ talked to them or not).

Except now they are saying this on a technical document whereas previowsly it was "just" a PR guy so they could have claimed "miscomunication".

Re:There's no flaw, but heres a patch anyway

[elrous0]

it might be possible to run arbitrary code, it might not be.

That's not exactly a very comforting reassurance.

-Eric

Re:There's no flaw, but heres a patch anyway

[Sancho]

And why couldn't they still claim it now?

Re:There's no flaw, but heres a patch anyway

[tvon]

The SecureWorks people claimed to have compromised a MacBook. That is, an Intel based machine.
But, as you quote:

Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected
IOW, this is evidently not the same vulnerability claimed by SecureWorks.

There were a number of patches released for different machines. The Intel machines were also patched to resolve very similar (but not identical) security issues.

Re:There's no flaw, but heres a patch anyway

[Golias]

By the way, other languages, particularly Asian ones, do not have the "double negative" issue that English has.

If you are talking to a Japanese person with limited knowledge of English, and want to have fun confusing him, say something like:

"Wow, Akiko, that new car of yours is not too bad! I bet it wasn't exactly inexpensive, though. I wouldn't dislike having one of these myself."

For example, in Japanese, you can say "not good" (yoku arimasen) because "arimasen" basically means "is not."

The word "amari" is another negative word. It means "not very much".

However, you can only use it with a statement that is already negative, so "amari yoku arimasen" means "not so good" even though the literal word-for-word translation would seem like "not very much not good." (This gives you an idea of why 1980s VCR instructions or current Google translations make such a pig's breakfast of grammar when going from Japanese to Enlgish.)

So the idea that negatives usually cancel each other out in an English sentence is a really hard concept for some Japanese expatriates wrap their heads around.

Once they are advanced enough that they think they have their heads wrapped around how English works, you can throw "flammible" and "inflammable" at them in the same paragraph.

Then you can come at them with the ebonics. Heh heh. Ours is a cruel language.

Re:There's no flaw, but heres a patch anyway

[russotto]

The Atheros chipsets uses software radios, no microcode. Same with Broadcom. So if you can get arbitrary code execution there, you're running within the kernel.

However, many of the Prism chipsets (whoever owns them nowadays) used their own processor, an ARM, as did some Atmel chipsets.

Re:There's no flaw, but heres a patch anyway

[Orrin+Bloquy]

This is why I don't hide comments from ACs. Thanks.

Re:There's no flaw, but heres a patch anyway

[Bull+SR]

>There is no known exploit for this issue.

Has there ever been a successful exploitation of a buffer overflow demonstrated on a PPC Mac? I know it's theoretically possible, but difficult. I do not believe it has ever happened -- as in it's really hard.

Re:Why not...

We complain when Microsoft quietly releases patches, why would we ever expect less of Apple?

Because Linux' security-fixes (about weekly since the flawed AOL-desktop-OS 2.6.* kernel-series) are always loudly announced, right?

Fucking hipocrisy.

Re:Are u kidding

[dpninerSLASH]

It was probably Ringo...didn't he open a hair salon after the break up?

Re:Why not...

Fucking hipocrisy

Welcome to Slashdot.

Sounds like Politics

[Freaky+Spook]

It just sounds exactly the sort of thing politicians do, deny there is ever any problem, quietly legistlate, and then when it comes to an election they can say how wonderful they are at the problem they identified and fixed themselves.

I wonder if Steve is planning on running ;)

Re:Sounds like Politics

[Firehed]

Well other than the national dress code of a black turtleneck and blue jeans and Lattes becoming the official drink of the country, it's not that bad of an idea.

Hmm, maybe this will fix my kernel panics

[straponego]

I get panics on my MBP, in the same few memory locations, when loading the wifi heavily. For instance, using scp or nfs will trigger a panic within a few minutes. This only happens when the wifi is on; ethernet works fine. I've been waiting to take it in for repair until such a time as Apple A) acknowledges all the other problems (heat, whine) I want fixed on this POS, and B) I can stand to do without my beloved POS for a week or so.

Re:Hmm, maybe this will fix my kernel panics

[straponego]

Nope, didn't happen under Ubuntu and memory and the rest of the hardware tested fine.
Oh, wait, you're a trolldouche.

Re:Hmm, maybe this will fix my kernel panics

[Confuzzled]

Apple is currently investigating that issue. Don't take it into the store just yet, they can't offer a solution. Once apple engineering figures it out then we'll see what the fix is.

As to the heat, yes it's a hot machine, nothing can be done about that. They chose to make the machine quiet (the fan hardly ever spins on) but hot.

As to the wine, if it's excessive they can have things replaced; but there will always be a small whine. It's mainly because of the higher voltages (the macbook pro uses an 80 watt power adapter, by comparison all previous powerbooks, even the 17" high rez, used a 65 watt adapter).

"Quietly"

[Overly+Critical+Guy]

"Apple quietly released..."

It's in Security Update where every other update goes, and a spokesperson even talked with MacWorld about it. What's quiet about the release?

Re:"Quietly"

[ModernGeek]

The fact that they didn't hold a secretive special event to announce it.

Re:"Quietly"

[richdun]

It's Patchtime. (R)

Re:"Quietly"

[YU+Nicks+NE+Way]

The iPatch? Did they release this on the 19th of September or something?

"Arr, matey -- it's International Dress Like a Pirate Day, too, dincha know?"

Re:"Quietly"

[krakelohm]

No, that would be the ArriPpatch.

Sorry sounded funnier in my head.

Medical Marijuana

[sugapablo]

Whadya know? There IS an AirPort update in my Software Update thingy.

"Apple never told me that...I had to hear it from Slashdot."

Re:Medical Marijuana

[The+MAZZTer]

What did you expect? Were you hoping for your Mac to suddenly start playing band music, move confetti across the desktop, and then pop up the words "CONGRATULATIONS, YOU HAVE A PENDING PATCH AVAILABLE" over whatever you were trying to work with?

...

I wish Windows did that. :(

Re:Medical Marijuana

[epee1221]

Y'know... someone should write a script to make it do just that....

Dell also released Wireless Patch

I have a Core 2 Duo laptop with the Intel Wireless chipset. Yesterday I pulled down a "Critical" patch and installed it. It think both Apple and Dell are using the same Intel chipsets, so this is apparently an Intel fix.

Re:Dell also released Wireless Patch

[Rosyna]

It think both Apple and Dell are using the same Intel chipsets, so this is apparently an Intel fix.

Apple does not use the Intel wireless chipsets. They use atheros.

Apple can stop them? Huh?

[DavidinAla]

Apple has no control over what other people say, including these security "experts." Or are you claiming that Apple has some sort of mysterious mind control it will keep to prevent release of the info? ;-)

David

Re:Apple can stop them? Huh?

[billsoxs]

Apple has some sort of mysterious mind control it will keep to prevent release of the info? ;-)

No it is the picture of the sheep and .... well if they don't have a picture of you yet - watch out

A near miss...

Luckily not enough people actually use Macs to make exploits worth using.

Mac OS X wireless is not robust

[CyberSnyder]

The one complaint I have about OS X is the way it handles wireless networks. I can't save the password on the keyring unless the the SSID is being broadcast. What the hell is up with that? With XP, it just works. (Kills me to say that, but it's true.) Hopefully they'll fix it in the next version, but I'm guessing they would rather make it easy for AirPort and a pain for linksys.

I know disabling SSID broadcast doesn't really give you much security, but I live in a townhouse. Why make it easy?

Re:Mac OS X wireless is not robust

[Repugnant_Shit]

Maybe I don't understand your problem, but I have a WiFi network at home that does not broadcast its SSID, and uses WPA-PSK and MAC filtering for additional security. My PowerBook and PPC iMac both use this network, and I never have to type a password in. I added my home network to the "Preferred Networks" list in Network preferences.

Re:Mac OS X wireless is not robust

[drcagn]

What's really bad is that it's impossible to differentiate between two APs with the same SSID. My internet connection has gone out, and two neighbors have a network named 'linksys'--one is WEP-encrypted, and the other is open. Trying to connect to the open one mostly brings up a WEP password prompt. Argh, I don't want THAT linksys!

Re:Mac OS X wireless is not robust

[SanityInAnarchy]

Ethernet cable: $5, tops. You may even be able to use the one that currently connects it to the Internet, temporarily. Call linksys and find out how to reset the router -- it's going to be a huge pain in the ass, something like "Tuck the antenna under your arm, stick the power cable up your nose, click your heels three times, and say 'There's no place like Slashdot!'" But it will work. Then turn it on, plug your laptop in directly via network cable, and reset. Set a unique name, then throw away the network cable and unwire.

Also: If you add it to the preferred networks, I'm pretty sure it'll remember by mac address (or something similar), and not by SSID.

Re:Mac OS X wireless is not robust

[SanityInAnarchy]

WPA is not easy. Why make it difficult on yourself?

But 99% of my headaches have been solved by simply adding networks I like to "preferred networks". Once I do that, all I have to do is "Turn AirPort On", and I'm connected.

And while I was travelling with my father, he was using XP, I was using OS X, and I could get on the hotel network in three clicks: wireless menu, Comfort Inn (or whatever), then click "yes" to the agreement from a web browser. It took him a bit more time, and my mother's computer can't seem to connect to anything without being set up to always connect to that network...

And then there's the fact that, yes, OS X is still much more secure than Windows. Ironic to say here, unless you RTFA -- the exploit seems to affect Windows, also. So, all around, OS X seems to be the best OS for wireless, at least until I find a nice gui for Linux wireless.

Re:Mac OS X wireless is not robust

[anti-drew]

I'm not sure his neighbor will let him plug an ethernet cable into his router. Although it wouldn't hurt to ask. ;-)

Re:Mac OS X wireless is not robust

Wow, obviously you don't deal with wireless a lot outside of your own personal computer. I work in a college IT dept and trust me, OS X is infinitely better about dealing with wifi than Windows. The campus uses LEAP for authentication (don't ask) and it's always a huge pain in the ass for a lot of our students who bring in their Windows laptops because the built-in Windows wireless utility does not support LEAP, which then forces us to download and install new drivers and figure out exactly what we need to do for each unique driver and config utility. On OS X, it's a simple three click process.

I also have no problem connecting to my wireless network at home and storing the password in the keychain despite the fact that I don't broadcast the SSID. Have you tried adding your network to the Preferred Network list in the Network Preference Pane?

Re:Mac OS X wireless is not robust

[gnasher719]

'' What's really bad is that it's impossible to differentiate between two APs with the same SSID. My internet connection has gone out, and two neighbors have a network named 'linksys'--one is WEP-encrypted, and the other is open. Trying to connect to the open one mostly brings up a WEP password prompt. Argh, I don't want THAT linksys! ''

I suggest that after you go over to their houses and ask for permission to use their networks, you tell them how to change the SSID.

Re:Mac OS X wireless is not robust

[Burz]

The wireless GUI in XandrOS 4 is similar in function and capability to the one in Windows XP, with its own system tray icon/menu. You can select networks, store passwords, configure WEP and WPA, etc. Its the absolute best there is for wireless in Linux right now.

Re:Mac OS X wireless is not robust

[merdaccia]

A somewhat tangential, though hopefully helpful, addendum to your post is that OS X's Location feature makes life easier still. Adding wireless network SSIDs to your preferred networks is fine and all, but TCP/IP network settings aren't mated to a wireless network. For example, if you store TCP/IP settings for network1, the TCP/IP settings for network2 will be overwritten. Locations are the solution to this problem, and let you associate a set of layer 3 routing preferences with a layer 2 network. Or you could just use DHCP and get it over with. :)

Re:Mac OS X wireless is not robust

[CyberSnyder]

Yeah I tried that, but the only way I could get the "save password to keychain" checkbox is if the linksys was broadcasting it's SSID. If the checkbox would show up when the SSID wasn't being broadcast, then OS X would be much better IMHO. I thought I was imaging things, so I did some tests and SSID on == checkbox to save password, SSID off == no checkbox. This was with WEP encryption.

I guess if I have only one gripe with OS X, it's doing pretty well.

Re:Mac OS X wireless is not robust

[Doctor+O]

With XP, it just works.

I don't know about your keychain problem, for me saving passwords for wireless networks without broadcast SSIDs works just fine. But XP "just works"? You must be kidding. XP doesn't even do WPA out of the box, you have to install shitty "tools" which come with the wireless adapters just because XP only has WEP (a.k.a. 0wn3d-in-30-seconds).

That said, I must say that the easiest wireless install I performed was on my Linux box, followed by the Powerbook I'm typing this from. Plug in adapter, select network, select WPA, enter passphrase, enjoy. I set up XP for quite a number of people (neighbors, relatives, etc.), but it just makes me go MEH every time.

Re:Mac OS X wireless is not robust

[CyberSnyder]

Maybe I should switch to WPA instead of WEP and give that a try. Then again, everything is up and running...

Also the "With XP, it just works" comment is limited only to my personal experience with wireless networks. Nothing fancy. Just WEP encryption.

(I just don't want to see my picture on a billboard with the quote "With XP, if just works.")

Re:Mac OS X wireless is not robust

[russotto]

I suggest that after you go over to their houses and ask for permission to use their networks, you tell them how to change the SSID.

Why bother? Just log into their router and change the SSID yourself. Chances are they don't have their client machine set to use a specific SSID either, so they'll never notice a thing.

As P.T. Barnum might have said, if you can't exploit the foolish and clueless, what are they for?

Re:Mac OS X wireless is not robust

[Bretai]

Disabling SSID broadcast doesn't give you any security, unless you are leaving the network completely open, and you don't want random people jumping on. Anybody who's looking for APs with a scan tool will see you immediately, regardless.

Re:Mac OS X wireless is not robust

[squiggleslash]

Well, ask the neighbour who kindly let you use his or her open network to change the SSID.

You did ask permission, right? I mean, there's no risk it's a neighbour who doesn't actually know his or her network is insecure?

Re:Mac OS X wireless is not robust

[CyberSnyder]

It doesn't give you any security, but it makes it less obvious to neighbors and less of a target when there are others in the neighborhood that are being broadcast (and open). I consider it the equivalent of closing the front door with locking it. Encryption being the lock. Good encryption, the deadbolt.

Re:what gets me...

[MoneyT]

Am I crazy?

To a degree yes. You, nor anyone else in the world is willing to pay what it costs for a fully secure system. It costs money, but more than that it costs time, and people don't want to wait. It is possible to design perfect and bug free software with no defects or attack vectors, but the costs and time associated with it would put it out of the price range of even the most succesful of corporations. And in the end, it would be worthless because it would be outdated by the time you released it. So people want it now, which means not testing for some of the more fringe cases. They also want it cheaper which means leaving out more testing. Witness the computers of today vs the ones of yesteryear. Many computers years ago were built to last, in part because they were expensive enough that a company needed to make them a good investment. These days no one has the stomach to pay for a $5,000 personal computer, even if it means better build quality. They want the latest, the greatest, and they want it now. Software is the same way. We want the latest and the greatest and we want it now, to hell with perfection we can iron the bugs out later.

OK, I'll say it...

[ScooterComputer]

Liar, liar, pants on fire.

This is, obviously, Apple's Enterprise-grade Security and Communications teams in action. Bravo!

Re:Apple: Got Root?

[epee1221]

I guess since Mac people just blindly assume they are secure, they... um... don't really have to publicize it... so they can remain blissfully exploitable.

No, the assumption is that it will be applied automatically like all the other patches. Whenever any Mac OS X system update is released, the System Update app (installed on every system, runs weekly by default) will catch it and prompt the user to download it next time it runs. There is no need to publicize it.

Re:what gets me...

[epee1221]

Apple has a lot of money. Billions in fact. Same with Microsoft. Why the hell don't they audit this stuff BEFORE IT'S RELEASED?

Deadlines. Money doesn't slow the clock. Sure it can pay for extra workers, but that would sorta be a mythical man-month situation.

Re:what gets me...

[Americano]

Be an apologist all you like ("But, it's HARD to write secure software! Wahh!") but we're not going to have secure systems unless the bugs are squashed BEFORE being discovered. Am I crazy?

Problem is, what this implies is that your code must be *perfect* -- all bugs, gone, before release -- or you can't release it.

So let's say you accomplish near-perfection in your code, and you have 1 bug in the entire program. Now, put that program on an operating system, made up of thousands of other binaries, each with only *1* bug in them. Individually, each one of those binaries is nearly perfect. Taken all together, you have a buggy, quirky, unpredictable system of interactions. So do you not release your software until everybody else in the universe also gets theirs right?

Or do you just do the reasonable thing -- release it when it's "okay" so people can use it, and continue improving it via some patching or update process?

Knowing where to look.

[SanityInAnarchy]

You know, I wish I could type perfect code every time, and sometimes I get lucky, but like many, I do rely on feedback from my software. If I misplace a semicolon, the compiler will tell me, and usually it will tell me which line it's on.

This is important. The compiler telling me "Error on line 176: Expected semicolon" or something similar, even if the actual semicolon should go on line 159, is a hell of a lot better than "Whoops! Error SOMEWHERE in your 10k lines of code. Have fun!"

So, someone telling them "Security bug in your wireless driver" is a hell of a lot easier than trying to audit every single line they ever produce, from Xnu to iTunes and everything in between.

And I do agree with you, sort of. Most of these kinds of problems should not happen, and there are, in fact, people who will develop perfectly secure, perfectly stable software for you -- for about twice the cost. So now the question becomes: Pay twice as much for your shiny new MacBook? Or download a patch every couple months? This patch was 1.5 megs, so I'm leaning heavily towards the patch.

Re:what gets me...

[GrahamCox]

This reminds me of the old aphorism:

Every program contains at least one bug; and every program contains at least one redundant line of code. Therefore: logically, all programs can be reduced to one line that doesn't work.

IT DOES AFFECT MACINTELS, 'mung...

CVE-2006-3508 Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact: Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution
Description: A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.
CVE-ID: CVE-2006-3509
Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7 Impact: Depending upon third-party wireless software in use, attackers on the wireless network may cause crashes or arbitrary code execution
Description: An integer overflow exists in the Airport wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time. If an application is affected, then an attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network. This may cause crashes or lead to arbitrary code execution with the privileges of the user running the application. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issues by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.

Re:IT DOES AFFECT MACINTELS, 'mung...

[Drishmung]

My bad, I was responding to info posted by parent. I should have checked the orginal info.

Re:Why not...

[TubeSteak]

Does Hipocrisy have a sister?
Cause I've been fucking Hypocrisy for years now.

Just thought they might be related.
Cause of the names you know.

Re:what gets me...

[anti-drew]

Speaking as someone who did five years at Apple, the company certainly does audit stuff before it's released -- particularly network and filesystem code. Patches and bugfixes also tend to get code-reviewed right inside the bug report by several people outside of the core group with good security experience, and reviewed again before they make it into a release. The main problem is that there are so many lines of code and only a finite amount of time, and the more subtle problems take longer to detect. There is a cost-to-profit tradeoff after a certain point.

It's like microwave popcorn. You nuke it and in the first few minutes you can get almost all of the kernels (exploits) popped. Then the rate of popping slows down. After a while, you simply have to stop or else you'll burn right through your profit (of warm, yummy popped corn).

And that's just not worth it. No matter what there will always be a few hiding way down in the bottom of the bag. You can burn through the whole thing and still never pop them all.

Knowing Apple...

[Myria]

...they've probably had a fix for a month but have spent the rest of the time scrambling the executable so you can't "bindiff" them to figure out what has been changed.

Microsoft won't release a patch for a flaw they find themselves until someone else finds it because of the bindiff risk. They typically just fix it in the next OS, which you can't bindiff anyway because they're too different.

Melissa

Some more interesting Links

[LKM]

As always, daringfireball.net has an interesting article on this. And The Macalope chimes in, too, with a link to an article by Glenn Fleishman. Enjoy.

Re:Some more interesting Links

[Ilgaz]

If there is a single "neutral" IT publication about Macs, I will pay for it. No kidding...

Daringfireball even tried to "Challenge" with Secureworks about this issue. The "language" of URL may give you a clue.

http://daringfireball.net/2006/09/lies_damned_lies _and_macbook_wifi_hacks

I said "neutral" btw, not some sites/blogs calling me a "Maccie" or jump up and down with happiness when Oompla.Loompa story broke. :)

There is. Now pay.

[LKM]

If there is a single "neutral" IT publication about Macs, I will pay for it. No kidding...

There is. Now pay :-)

Daringfireball even tried to "Challenge" with Secureworks about this issue. The "language" of URL may give you a clue.

Meh. That was a publicity stunt. Doesn't make the articles any less interesting (or any less true :-)

Re:There is. Now pay.

[Ilgaz]

Thanks about that publication link,I think it is bad news for my idling colour laser printer ;)

About the "stunt", yes, I think I am a bit old fashioned and still trying to get used to Web 2.0

Re:There is. Now pay.

[LKM]

Thanks about that publication link,I think it is bad news for my idling colour laser printer ;)

Don't worry, there's a plain text version :-D

Seriously, though, MDJ and MWJ are by far the best, most in-depth publications on Apple and the Mac. Check out the trial subscriptions.

One note: There's been a problem with the ventilation system in the macjournal's publisher's headquarters, so they're pretty taking an unscheduled vacation right now.

Yarg

[jlebrech]

Me like me new patches, Yarg!!!

New Apple product name

[LeedsSideStreets]

iPatch

The release date being so close to Talk Like a Pirate Day is purely coincidental.

Apple notebooks doesn't use Intel wifi

[Wooky_linuxer]

They have Atheros' cards. Completely different beasts really.

Re:what gets me...

[phasm42]

Good analogy!

12% of new laptops

[argent]

12% of new laptop sales isn't enough people?

The "market share" dog don't hunt, coward.

Re:what gets me...

I really like that analogy. Now if you can just put it in terms of cars...

detent?

[Gary+W.+Longsine]

And since I know both my neighbors and they're both developers who I'd trust with my network

What?! Did somebody declare detent in the forever war between systems administrators and developers whilst I was not paying attention? Never trust a developer with your network! Trust developers with your source code. (Never trust an admin with your source code! (save possibly to back it up...)

Re:detent?

[Swift2001]

When you turn a knob on a radio -- the volume, for instance -- and the knob clicks to another position, that's a detent. What you're reaching for is "detente".

Re:what gets me...

[TubeSteak]

Many computers years ago were built to last, in part because they were expensive enough that a company needed to make them a good investment. These days no one has the stomach to pay for a $5,000 personal computer, even if it means better build quality.

While this is somewhat true, often the quality of a piece of hardware can be increased with a few dollars worth of better parts.

Companies skimp on these nickel & dime items because it's better for their bottom line.

Audio products are a great example of hardware that can be improved by replacing some capacitors and/or resistors with higher quality or differently specced parts.

I don't think there's much of a story here.

[Thumper_SVX]

I'm just glad Apple is actually finding bugs in their own code and fixing them in a reasonable period of time.

I bought a Macbook Pro recently, and it does still have its share of problems. First of all, it's a new platform for Apple so it's almost bound to have a few issues that they didn't predict. Just because OSX has really been running for years on Intel platform, doesn't mean it's optimized for it yet.

This wireless patch deals with a couple of issues they've found. I installed the patch last night, and I sincerely hope that it does fix the "beachball of death" wireless issue that seems to have hit a fair number of MBP owners myself included. The wireless is pretty damned good, the antenna in the machine is significantly better than my other Dell laptop. However, it's not perfect, and it's known to cause problems in the right (wrong?) circumstances. I can't nail down precisely what those circumstances are, but it will freeze Finder with SBOD problems. Thankfully, EscapePod comes to the rescue for me or it would be that big fat power button of death for my MBP.

I reiterate... I am a Mac owner and I'm proud to say that Apple is at least proactively fixing their code. Secureworks identified one problem, Apple fixed three. That speaks volumes to me about how serious Apple are about squashing bugs.

Easy for Secureworks to prove their exploit now

[lergnom]

So . . . now that Apple has patched the code, why doesn't secureworks demonstrate their exploit with an unpatched Apple MacBook? Can they? It seems an easy test. If they have an exploit, show it. The code is fixed.

There's no exploit, but here's a patch anyway

[Bretai]

Stop. You are misinformed. The second item in the announcement, CVE-2006-3509, is for the Atheros driver. The third is for Apple's API on the same computers. We don't know if an exploit exists, and we don't know where the flaw might be if it does exist. We don't even know if it's patched, because Apple has said SecureWorks was not working with them. So, rather than recklessly speculate with the incomplete information available to us, let's see what Maynor and Ellch have to say about their possible exploit:

"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook."

Still no exploit... still waiting for one...

Re:what gets me...

[keytoe]

Apparently, my microwave uses the Microsoft method of bug popping. It goes directly from warm fluffy profit with some unpopped bugs to scorched, terrible tasting profit with the same number of bugs. Then it just tells me to shut up and enjoy anyway because nobody ever got fired for eating Microsoft.

Re:Why not...

[WilliamSChips]

Name me one Linux kernel problem that was actually exploited. *crickets chirping*

Re:what gets me...

[mstone]

As an aside, the team that writes the flight-control software for the space shuttle -- who arguably have some of the highest quality standards in the world of software -- demand an average of about one bug per thousand lines of code at the unit-test stage. First, most bugs show up at the boundary where two different subsystems interact, and it's more cost-effective to find those during the integration stage than at unit-test time.

More importantly, though, if they hit a patch where they consistently fail to find any bugs, they audit their testing procedures to make sure they aren't missing anything.

Re:Apple: Got Root?

[epee1221]

Yep, sure enough, my weekly system update got the AirPort patch.

Forget WEP, upgrade to WPA.

[Doctor+O]

Maybe I should switch to WPA instead of WEP and give that a try. Then again, everything is up and running...

Up and running, and ridiculously crackable. Seriously, it takes seconds to get into your network, and there are LOTS of script kiddie tools available. Do yourself the favor and upgrade to WPA. Where I lived last year there weren't even more than 5 computers in reach of my D-Link (working-class district, almost no computers) and even there I had someone in my network when I still used WEP. I didn't care too much as it was clear who it was, and putting the goatse.exe on his Windoze box and printing out some of his p0rn while he was at work was great fun. But where I live now (downtown), I wouldn't touch WEP with a ten foot pole.