Apple Denies Wi-Fi Flaw, Researchers Confirm

Glenn Fleishman writes "Apple tells Macworld.com that the Wi-Fi exploit demonstrated at Black Hat 2006 in a video doesn't show a flaw in their hardware or software. A third-party USB adapter with different chips and drivers was used, and Apple says the two researchers haven't provided Apple with code or a demonstration showing a working exploit on Apple equipment. The researchers added a note at their Web site confirming that only an unnamed third-party adapter was used. This doesn't mean the researchers have no flaw to show, but rather that their nose-thumbing at Apple users who were too secure in their security was misplaced, at least at present. The researcher's claim that they were providing information to Apple now seems off-base, too."

So was this just a lie?

[Anonymous Coward]

Security Fix [washingtonpost.com]:

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

Re:Uh... the "game's" rules are too strict

[TheGreek]

It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]."

It's a good thing Apple doesn't guarantee that, then, because it would indeed be ridiculous. What they acutally said was:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device-not the 802.11 hardware in the Mac-a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Re:Uh... the "game's" rules are too strict

[ThinkFr33ly]

Drivers typically run in kernel mode. Kernel mode simply can't be "secure". Those drivers can do anything the kernel can do, including write directly to memory (ANY memory), disk, etc.

This applies any ANY OS that allows code to be loaded into the kernel... in other words, allows kernel mode drivers.

Re:Uh... the "game's" rules are too strict

[TheRaven64]

As I recall, there was a privilege escalation vulnerability in some of the DRI drivers last year. The i810 driver is horribly insecure, but it is deprecated in favour of the i915 driver (which also supports older hardware).

Re:...or alternatively...

[galimore]

Really?

http://www.ioxperts.com/devices/devices_80211b.htm l [ioxperts.com]

You were saying? ;)

Re:So was this just a lie?

[Anonymous Coward]

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported."

That's not exactly what's being said on their website...
"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."
http://www.secureworks.com/newsandevents/blackhatc overage.html [secureworks.com]

SecureWorks Alerted Apple About FreeBSD Flaw

[tsu doh nimh]

There is an update [washingtonpost.com] at the Washington Post's SecurityFix blog that includes this info about the back and forth between Apple and SecureWorks:

"A number of news outlets and blogs have picked up on these various statements and clarifications, but nowhere have I seen this tidbit: Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine.

I looked through the last eight months of patches from Apple and could not find any evidence that it also shipped an update to correct this flaw. Fox said she would check with Apple and get back to me. Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.

"SecureWorks has not be able to exploit this for us," Fox said. "No one has been able to show us a way to exploit our internal [wireless] device drviers with that flaw."