Apple Denies Wi-Fi Flaw, Researchers Confirm

Glenn Fleishman writes "Apple tells Macworld.com that the Wi-Fi exploit demonstrated at Black Hat 2006 in a video doesn't show a flaw in their hardware or software. A third-party USB adapter with different chips and drivers was used, and Apple says the two researchers haven't provided Apple with code or a demonstration showing a working exploit on Apple equipment. The researchers added a note at their Web site confirming that only an unnamed third-party adapter was used. This doesn't mean the researchers have no flaw to show, but rather that their nose-thumbing at Apple users who were too secure in their security was misplaced, at least at present. The researcher's claim that they were providing information to Apple now seems off-base, too."

What a relief.

[A. Bosch]

So I can go back to being "smug" now about security on my mac?

No, Cower in Fear (TM)

[Gary W. Longsine]

Smug? No, you should Cower in Fear(TM) like The Rest of Them (TM).

Re:What a relief.

[Anonymous Coward]

Some how I think all this current bull shit about Mac users being "smug" about security is simple sour grapes. Linux users are similarly "smug" about security, but that is only if you define "smug" as simply stating the fact that there are certain things in place in the OS either by design or decision that make it inherently more secure out of the box. That in NO WAY means we should take any threat lightly, however stating the inherent higher security of these OS' is far from "smug" it is a simple fact. If no one likes it, then tough shit. I refuse to apologize or be meek about heightened security of my OS preference simply because windows users are pissed off because they are still struggling with exploits and viruses that should have been rendered impotent years ago.

Re:

[Kadin2048]

Huh? I don't know what you're talking about, because I fired up a fresh VMWare machine a few weeks ago, installed a bare WinXP system onto it, and just for fun started using Internet Explorer to browse the 'net. I let this go for a day, with a couple of people using it just for web browsing, and the thing got totally infested with viruses and spyware. I had originally thought it would be interesting to try and decontaminate the system without reformatting it, but eventually I just gave up and rolled back th

Re:

[CaptDeuce]

So I can go back to being "smug" now about security on my mac?

Only if you continue to smell your own farts [wikipedia.org].

Re:

[hmccabe]

I had to put my mouse over your link to see if you linked to an article about what farts are.

What a couple of dicks

[Doctor Memory]

And here I agreed that the Mac community was too complacent. I was hoping that this would be a rather benign wake-up call (given that it wasn't an exploit seen in the wild, and the hats were taking proper precautions to prevent it from becoming so). And now we see that they were just trying to leverage their exploit to make a (valid, but now diluted) point.

Re:What a couple of dicks

[kaan]

Furthermore, all this is going to do is bolster the view that Macs are invincible. ... Oh you say you found another new exploit or vulnerability? Psha! As if! Didn't you hear that the only "exploits" on Macs are total bullshit invented by a couple clowns who hate Steve Jobs? And dude, didn't you see that Apple commercial about "viruses"? The Mac didn't get sick at all! But the PC did!

The thing that's more concerning to me is that the tech news and media start sounding like CNN. It seems like anybody can step up and make a loud claim about something controversial, and the news sites just spread it around. Most other tech security claims are held accountable for documenting details and specifics, and being up-front about things like, "well, this only happens while using a random 3rd party wireless card, which would admitedly happen almost never on a Mac since most have built-in wireless...".

Re:Well let me join karma suicide

[gnasher719]

'' Just giving 20 mins to this story get "FUD" tag and we go -1 levels by some Mac zealot moderator ;) ''

I think there should be an automatic moderation to -2 levels for any post that predicts "I will be moderated down because some zealots don't like my opinion".

Re:

[picklepuss]

I totally disagree. In most cases, when I see "I will be moderated down" it is often followed by a thoughtful, critical analysis filled with reason and supporting evidence. I almost always end up modding them up if I have points.

And in any case, I don't see how the grandparent was flaimbait - I didn't see anything incendiary in the post.

Re:

[Ilgaz]

I added that line on purpose knowing the result it will get. I don't like posting offtopic stuff and this is not off topic, it is the "community" (or part of it) the security specialists, security demanding users, general computer media deals with when they post anything including "mac" and "security".

I am sure there are some exploits out there not posted to web just because people (and companies) got very sick and tired of zealot response they get.

As a Mac owner I have really big questions about the genera

Re:Well let me join karma suicide

[Yvan256]

I have seen people transforming from complete Intel hater to Intel zealot just after WWDC Mactel announcement.

The Pentium 4 was a POS from day one, there was no need to be an Apple / PowerPC zealot to see that. Clock-for-clock, the P3 was kicking the P4's ass.

As for Apple zealots turning into "Intel Zealots" at WWDC05, well, you have to admit the new Intel Core is quite a step-up from their previous CPUs. And the Core 2 is (again) a big step-up too.

Just because something was good/bad in the past doesn't mean it's gonna be good/bad in the future (i.e. Mac OS 9 sucked but OS X is really good, Apple used to suck with their proprietary hardware and software (ADC, Apple-specific PICT screenshots that won't even load correctly in regular programs, etc) but now they're supporting standards (DVI, USB2, Wi-Fi, Bluetooth, PDF, PNG, etc).

Re:

[mrxak]

Heh, count me in that group (well, not to say that I'm an Intel zealot now, I just don't necessarily hate them). But you have to admit, the new intel chips are loads better than their offerings a couple years ago. Core 2 Duo Two Duplo 2 is a much better chip than the Pentium 4, even with a silly name. Although, the Quad Xeon vs. Quad G5 benchmarks I've seen weren't spectacular... Sure, there's improvement, but not as much as one might hope. Intel's killing the G4, but that chip was ancient to begin with. An

Re:Well let me join karma suicide

[NMerriam]

It depends on which Steve Jobs you want to believe. Jobs from 5 years ago spouting off about how "clock cycles aren't everything" and "IBM and Motorola chips are far superior to any Intel chips" or the Jobs of today with "Our new Intel chips make our old chips look like solid state transistors".

I'm convinced slashot is filled with people who just enjoy not being willing to understand the simplest of things.

The PowerPC G5 processor is an absolutely superior design to anything Intel was putting out in the 90s. I don't know of any hardware geek who disagrees, although they may disagree on real-world performance with available complete systems.

That Intel is putting out well-designed power-efficient processors today does nothing to change the past. That IBM is uninterested in desktop computer processors NOW and is allowing the G5 to languish does nothing to diminish the fundamental superiority of the processor design, or the performance advantage it had years ago during active development.

You may as well complain that car buyers today are just fanbois, because beack in the 60s everyone knew Japanese imports were lousy, cheap machines that barely stood up to American cars. Yet now people say Japanese cars are great and reliable -- I mean, gosh, make up your minds, guys, flip-flop much? Once something is bad or good, it has to stay that way FOREVER, Mister Whirly said so!

Re:

[Jeremi]

Incidentally, the "unnamed chip" (an Atheros USB) is supported by OpenBSD - with a 100% open source driver. I can safely browse the web at a coffee shop without being 0wned!

It's entirely possible for your "100% open source driver" to have a security hole in it... hell, it could be based on the same exact codebase that was used in the OS/X driver exploit. You shouldn't get too complacent just because you're running open source software.

So was this just a lie?

[Anonymous Coward]

Security Fix [washingtonpost.com]:

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

Re:

[Anonymous Coward]

Brian Krebs has been proven to be a fraud many times over when it comes to security. Take what he says with a large grain of salt... like maybe one the size of your house. As for the test, I'm surprised the rest of the Black Hat community didn't call Maynor and Ellch out and get them to do the exploit live. Probably because they can't....

Re:

[Sancho]

There's a really, really legitimate reason for not doing the demo live: they'd basically be releasing the exploit. After all, they were giving the talk to a large room full of people with notebooks, and if they started doing a demo, you know damn well that at least a fourth of them would start a wireless packet capture.

Re:

[Anonymous Coward]

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that

So some "facts" were just made up...

[gnasher719]

We were told that all Macs are vulnerable. And not only all Macs, but also all Linux machines, and all Windows machines. It seems this was not the case. Apparently there is no exploit at all against a bog standard Macbook with built-in wireless, and that covers about 99.999 percent. Using an external card was essential to the exploit, the claimed "pressure from Apple" was just made up. Remember, these guys _did_ claim that a Macintosh with built-in wireless adapter was vulnerable, and they didn't demonstrate that because of pressure from Apple! I didn't believe it then, nobody should have ever believed it without evidence, and now they have been caught with their lies.

Shame on everyone who reported it without checking the facts.

Careful now...

[Savage-Rabbit]

Remember, these guys _did_ claim that a Macintosh with built-in wireless adapter was vulnerable, and they didn't demonstrate that because of pressure from Apple! I didn't believe it then, nobody should have ever believed it without evidence, and now they have been caught with their lies.

I have done enough debugging work to know that there is always a chance somebody screws up and screws up badly... That goes for Apple just like anybody else (I'm one of their customers by the way). Just because these hackers

Re:

[podperson]

Shame on everyone who reported it without checking the facts.

Nah, they're just on to the next unchecked story. This is old "news" ... why beat a dead horse ... er ... try to unring a bell? We all know that the Macbook was hacked remotely, we found WMDs in Iraq, Saddam Hussein was directly involved in 9/11, and John Kerry inflicted wounds on himself to get a Purple Heart.

Pretty much the only story that's ever been "corrected" successfully was George W. Bush's being AWOL from the National Guard. He was AWOL,

Re:

[mrxak]

I can forgive these people for not checking their facts. I'm lazy enough myself, I can't hold it against them. But what I don't like is when people immediately point out the facts (and they did, I remember people pointing out the 3rd party hardware in droves) the reporters don't issue an immediate correction.

Re:So some "facts" were just made up...

[mrxak]

The fact is, the two guys that showed off this exploit didn't actually exploit Apple hardware but claimed they did. Apple's just saying people should look at this fact. Is Apple untouchable? Probably not. But, until somebody proves otherwise, I'd say they have the ability to truthfully say they are. As of right now, there appears to be no threat whatsoever to Macs. People can complain about arrogance all they want, but right now the arrogance appears to be well founded.

Re:

[Apotsy]

They made it EXPLICITY clear that they were using a 3rd party wireless card, I mean, they said it like four times (as if it wasn't obvious from the video anyway).

And yet they had to add the statement on their website. Obviously they weren't being quite as clear as they could have been. Given their cigarette-stabbing-in-face bias, I wouldn't be surprised if they were deliberately trying to mislead people.

Re:

[mrxak]

Apple says they don't know how the exploit works, but that they aren't affected by it, this seems an odd statement to make (imo).

Or, could it be that the exploit doesn't affect them, and thus the two guys didn't provide them with any information on what they did with a third party hardware?

Something I'd like to know

[Cyborg Ninja]

I'd like to know if the fact that a third-party driver was used was reported when the exploit came out, or if this senior researcher at SecureWorks withheld that information deliberately. He stated he doesn't want to reveal the name of the device for legal reasons, but I don't know if this is just an excuse to hide behind or not. It sounds like he set out with a purpose, that is to make Mac users feel less "smug" about security, rather than point out vulnerabilities to increase security in the long-run. Sort of like a scientific researcher who comes up with a conclusion and will do anything to reach it.

The presenter did mention it

[porkchop_d_clown]

but that fact was pretty thoroughly buried in the avalanche of "OS X is worse than Windows" news reports.

Y'all are a bunch of suckers

[WhiteWolf666]

I told you so [slashdot.org]

75% of people on Slashdot all tout the party line, "Don't believe everything you read in the mainstream media." It doesn't matter whether the discussion involves Iraq, Microsoft, SCO, Linux, IBM, the U.S. government, or CmdrTaco. If it's on CNN, don't believe it.

Well, here I am, to tell you, be skeptical of regular Joes, as well.

In this discussion [slashdot.org], the only people not agreeing with the article said things like, "it was a 3rd party card." The thing is, I don't understand why you would believe AN

Too bad I don't have mod points

[SuperKendall]

Good vent, these people that constaly jump any any apperance of weakness in OS X are far worse (nad more numerous) than the mythical user who thinks the Mac is invincible to any attack.

Big surprise.

[supabeast!]

So if this report is true it means that computer security professionals are grandstanding and misstating the facts to get attention and advance their own personal agendas. I am shocked that such a thing could happen! If we can't trust computer security nerds when they present at Black Hat, how can we trust them when they release proof-of-concept code, call it virus in the wild, and then try to sell us antivirus tools to remove it? How can we trust their products for *nix operating systems?

My God - what if the computer security folks are often just full of shit?

Confusing Headline

[Anonymous Coward]

Researchers "confirm" the denial or "confirm" the flaw?

ahhhh, not so confusing....the headline drew me in to read it for clarification...verrrry clever.

Re:

[MS-06FZ]

I thought it was the second one...

No Surprise

[ar]

Anyone who thought about it for more than a second or two would have realised that it was never going to be a vulnerability in the default MacBook Pro hardware or drivers. If it wasn't, why would they need to introduce a third-party wireless adapter at all?

Frankly, the disclosure here was pretty amateurish. Surely they would have known that demoing the vulnerability on Apple hardware would have implicated Apple. In fact based on the "aura of smugness on security" comment it looks like they deliberately *chose* Apple hardware to be falsely implicated.

Do these guys have *any* credibility left?

Re:

[gnasher719]

'' Anyone who thought about it for more than a second or two would have realised that it was never going to be a vulnerability in the default MacBook Pro hardware or drivers. If it wasn't, why would they need to introduce a third-party wireless adapter at all? ''

Remember that when the "researchers" were confronted with this very reasonable argument, they claimed that they didn't demonstrate their "exploit" with the standard hardware because (as they claimed) "Apple had leaned on them". At that time I though

Re:

[Weedlekin]

Yeah. it's like having MS lean on your three-man software company by buying it for a few million greenies. Oh, woe is me, Micro$soft have used anti-competitive tactics on my poor little company, I'll now have to spend time crying into my cocktail on a beach in Barbados instead of writing C++ and answering phones. Ba$tards!

Special spl0itz!

[Nijika]

I have found this amazing security flaw in OSX. If you take a specially crafted driver, and you use a specially crafted peice of hardware and insert it into the system you want to compramise, you can then compramise it remotely!

Gad Zukes!

This is almost as good as the Debian exploit I found last year. I found that if you built a specially crafted PC, and then installed a specially crafted version of Debian, it would prompt you to set the root password during the install, leaving the system open to compramise by the person installing the OS.

Next year's Black Hat conference, here I come!

In other news...

[b1t r0t]

In other news, Cisco can't reproduce the security flaw from last month's Black Hat conference. [csoonline.com.au]

...and now we've got some guy claiming to be Jon Benet's murderer when there are big holes in his story (claimed he took her home from school, but it was Christmas vacation, and there is little evidence that he was even in Boulder at the time)

What we seem to have here is an epidemic of Attention-Whore-Itis.

Here are the unpublished details on this hack

[sjonke]

1. Take your MacBook and sit it on table
      2. Log in to the MacBook with your username and password
      3. Turn on "Remote Login" in the "Sharing" system preferences pane if it isn't already on
      4. Select your wireless network from the menu in the menubar and enter the password
      5. Write down the IP address that you see in the TCP/IP tab of the airport settings on the MacBook. You'll need it later.
      6. Take a different computer of yours and connect to the same wireless network and enter the password
      7. Bring up a terminal and type in ssh://
      8. At the login prompt enter your username and password
      9. You're in baby, have a fuckin' field day!!!

Re:

[Tarmas]

1. Take your MacBook and sit it on table
2. Log in to the MacBook with your username and password
3. Turn on "Remote Login" in the "Sharing" system preferences pane if it isn't already on
4. Select your wireless network from the menu in the menubar and enter the password
5. Write down the IP address that you see in the TCP/IP tab of the airport settings on the MacBook. You'll need it later.
6. Take a different computer of yours and connect to the same wireless network and enter the password
7. Bring up a te

Tar and feather RESPONSIBLY

[davidwr]

Before you tar and feather someone publicly, make darn sure you don't leave the wrong impression or it will boomerang on you later.

This is true in any industry.

If these guys had made it CLEAR that they were using a NON-APPLE network device from the get-go we wouldn't be having this discussion today.

What they should have said:
"We found a wireless exploit in a major-brand wireless network device. We will be releasing the name and model number of the device after responsible notification to the vendors involved. The videotape you are watching shows this device connected to an Apple Macintosh. We have also tested a device containing the same chipset connected to a Windows-based PC and found similar problems."

Which is sadder?

[david.emery]

1. The inconsistent position of the original demonstration?
2. The willingness of everyone to jump on an actual vulnerability in MacOS X (schadenfreude) ?
3. People who believe that the only reason software is vulnerable is its market share?
4. People who think that a company should be able to warrant/guarantee an OS regardless of what you do to the machine it's running on?

Does /. have a polling mechanism? Can we actually vote on these?

        dave

p.s. my Mini, that runs continuously 24 hours/day including web server, iTunes broadcast, etc, had a kernel panic yesterday. First time, too! I think it was because I was in the middle of LDAP client configuration and left the machine in an inconsistent state, i.e. -operator error-. No, OS X isn't perfect, but it's a damn site better than -any other OS- I've used on personal hardware. The only things I've used in almost 30 years in the business that have been more reliable are VAX/VMS, Ultrix and SunOS 4.0.3...

Re:

[dfghjk]

how can a user error produce a kernel panic without there being a flaw?

I run all my machines 24/7, they share resources on networks, and my mini isn't any more robust than my XP systems. It locks up periodically just like everything else. What is interesting is how frequently it goes unresponsive for long periods of time. The color wheel is one of it's most familiar mouse pointers to me. Perhaps it's a dying harddrive, but, considering that it's on its second motherboard and second harddrive, I'd say my m

Re:

[Ford Prefect]

I never said OS X was without flaws. The fact that I got a kernel panic is evidence of a significant bug somewhere. I just see them -much less often- on Mac OS X than on other PC based OSs I've worked with (since 1978, when I bought my TRS 80 Model 1).

I get a kernel panic on my MacBook Pro [hylobatidae.org] around once a month or so - usually caused by very different things. I tried enabling wireless on a train once, just to see how many networks were zooming past - and then tried connecting to a network to see what happened

Not exactly surprising

[Durandal64]

These guys had a demonstrable bias against Apple's platform and users from the get-go. They specifically chose the MacBook because they didn't like Mac users' supposedly smug attitude about security, so they wanted to make a public example of a Mac getting 0wned. But oh wait, they used a third-party wireless device with a third-party driver, a setup that's about as common on Mac hardware as steaming shit in Antarctica. When asked why they chose this, they claimed that Apple had put pressure on them to not demonstrate the flaw with Apple hardware ... but to go ahead and tell everyone that the same flaw existed in Apple hardware anyway. Why Apple would ask them to do that is anyone's guess. This was a highly dubious claim at the least. It's not surprising at all that it turned out to be total bullshit.

With the statements from Apple, the questionable reasons given by the researchers and their ire about the Mac community in general, I think the most probable conclusion is that these guys are full of shit. What I can't understand is why they'd risk their reputations on something seemingly so petty.

Re:

[dfghjk]

"It's not surprising at all that it turned out to be total bullshit."

Apple made no statement denying the claims. All the said was that a 3rd party adapter was used and that no flaw in their product had been demonstrated to them. Both could be telling the truth and both could be lying. Nothing new here.

"in general, I think the most probable conclusion is that these guys are full of shit."

What stake do you, or anyone here, have in Apple being shown innocent here?

"...their ire about the Mac community in gene

Re:

[atrocious cowpat]

Er... while I basically agree with what you wrote I'd like to note that if you want to be 100% sure that your shit will steam, antarctica probably is the place to go on this planet.

;)

Re:

[easter1916]

Because you're an atrocious cowpat, I will take your word for this.

Headline misleading

[Microsift]

The headline's construction is confusing (paraphrasing) Apple Denies, Researchers Confirm. Since deny and confirm are antonyms, the headline implies that the two parties, Apple and the researchers are in disagreement, which is not the case.

I have been wondering

[cyfer2000]

I have been wondering from the beginning, if they could insert an third party wireless card into my computer, why don't they insert a OS X boot DVD and enable root on my computer? Or simply grab my computer, they can gain TOTAL control of my computer much faster.

Bad PR for SecureWorks

[Alexander]

I guess that's not the publicity they were looking for....

To bad

Well, Duh

[MidKnight]

Anyone who did some passing research into the original posting [slashdot.org] could've seen that. As I said originally, these guys just did their demonstration on a Mac in order to get a publicity storm started. They certainly accomplished that, and probably raised the visibility of their security company as a result. Good for them, I guess.

This is a very real exploit... just not one that the Mac is vulnerable to unless you're using 3rd party wireless hardware. And how many Mac users do you know that use 3rd party wireless hardware? Yeah, me either.

I'm not sure all publicity is good publicity

[Infonaut]

They certainly accomplished that, and probably raised the visibility of their security company as a result. Good for them, I guess.

Given how this has all panned out, would you trust these guys?

Corked

[Nom du Keyboard]

Another corked demo. So what's new about that?

Ummm...

[macthulhu]

I haven't read all of the posts, so my apologies to anyone who posted it first, but... Wouldn't it be smart of Apple to pay these guys a consulting fee to spend a few days with their networking geeks and see if A) they can replicate it on an Airport card, and B) if there's a way to patch the problem, if it exists, in the OS? The hackers get paid, Apple patches a potential security flaw... everybody wins.

SecureWorks Alerted Apple About FreeBSD Flaw

[tsu doh nimh]

There is an update [washingtonpost.com] at the Washington Post's SecurityFix blog that includes this info about the back and forth between Apple and SecureWorks:

"A number of news outlets and blogs have picked up on these various statements and clarifications, but nowhere have I seen this tidbit: Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine.

I looked through the last eight months of patches from Apple and could not find any evidence that it also shipped an update to correct this flaw. Fox said she would check with Apple and get back to me. Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.

"SecureWorks has not be able to exploit this for us," Fox said. "No one has been able to show us a way to exploit our internal [wireless] device drviers with that flaw."

Re:Uh... the "game's" rules are too strict

[computertheque]

When they have integrated wi-fi and the user decides on a third party usb option with questionable settings, I wouldn't say it was my fault either.

It's much like OpenBSD

[Quantum Fizz]

OpenBSD's standard out-of-the-box install is very well-hardened security wise, AFAIK there haven't been any local or remote exploits for years. But once you start opening ports and running daemons (say even third-party daemons) then it's not necessarily secure anymore. But stupid actions by the administrator don't imply that the OS itself isn't secure.

Reality

[SuperKendall]

It would not be rediculous if the device in question were something that someone were at least somewhat likley to use.

But in reality every laptop sold by Apple today ships with an Airport card, and most of the ones sold previously had one as well. What message are you really sending when you trumpet a flaw that affects 1/10 of 1% of Mac users?

The message that Mac users should be aware of possible security vulnerabilites is an excellent one but hyping a vulnerability that would simply not happen in reality was a poor vehicle to convey this message, and basically comes off as self-aggrandizing; that is to say they were far more interested in promoting themselves than warn Mac users about security flaws.

Re:

[XenoPhage]

But you're assuming that the security is in the hardware not the software. It's pretty easy to write software that renders hardware vulnerable to all sorts of exploits. And since the OS maker doesn't control the developers, then it's impossible for them to say that the OS is completely secure.

So, in essence, this research only "proves" that if you take something that is secure out of the box and make alterations, it's possible to break that security.

Re:Uh... the "game's" rules are too strict

[_typo]

Third party drivers run inside the kernel. If they have security flaws there's nothing the rest of the kernel can do about it. Even a microkernel OS will have a hard time being completely secure without trusting the drivers. At some point it's going to have to touch hardware and it's not easy to abstract that away. After all that's what the device driver is there for in the first place. It's not Apple's fault if someone released a crappy device driver. This is why I like all my Linux drivers to be free instead of that binary crap ATI/Nvidia do. Go Intel!

Re:

[Score Whore]

Why couldn't you understand something like that? You've got to stop thinking about these things as network cards and video cards. Think of them as devices that take input, do some work, and produce output. Then you can see that any kind of device is susceptible to bad data.

Re:

[TheRaven64]

As I recall, there was a privilege escalation vulnerability in some of the DRI drivers last year. The i810 driver is horribly insecure, but it is deprecated in favour of the i915 driver (which also supports older hardware).

Re:Uh... the "game's" rules are too strict

[TheGreek]

It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]."

It's a good thing Apple doesn't guarantee that, then, because it would indeed be ridiculous. What they acutally said was:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device-not the 802.11 hardware in the Mac-a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Re:

[Shisha]

If you have a driver that's loaded as a kernel extension (or a module in Linux), then it executes with kernel privileges. If there is a flaw in the driver then you can "get root". No mainstream OS that I'm aware of provides the level of separation, between kernel space and drivers, that would prevent this kind of exploit from "getting root".

Re:Uh... the "game's" rules are too strict

[ThinkFr33ly]

Drivers typically run in kernel mode. Kernel mode simply can't be "secure". Those drivers can do anything the kernel can do, including write directly to memory (ANY memory), disk, etc.

This applies any ANY OS that allows code to be loaded into the kernel... in other words, allows kernel mode drivers.

In other news...

[Logger]

In other news today, a faulty air bag was blamed for the death of a driver in a recent accident. The auto manufacturer's safety claims for the car were obviously overblown, and their smugness is now revealed.

Update later that day: As a side note to this story, the owner of the vehicle replaced the OEM airbag with one from Orval Reddenbacker, so she could eat popcorn in case she was in an accident. We originally decided we would overlook this aspect, because we have an axe to grind with this manufacturer and to create buzz generating free advertising for our company.

Re:

[dgatwood]

Except that drivers either run in the kernel's address space (in which case security is impossible) or they don't (in which case performance is diminished). The only way to protect an OS from driver malfunctions is use a microkernel, so the question is whether you want slow and secure or fast and ever so slightly less secure....

Re:

[jellomizer]

Well we can assume that OpenBSD is a secure OS. But if I say configure openSSH to allow root logins with no password, should I blame OpenBSD for making an unsecure product. Drivers usually need high level access, because drivers do things the kernel cannot do nativly. If the driver made by a third party then installed by the user, has a security risk then you cant blame, Apple, Microsoft, Linux, *BSD or whatever for being unsecure just because someone elses program that demmands to have high level access is

Re:

[timster]

I'm amazed at the sheer audacity of your post. What you are saying is that any OS MUST have a security model that prohibits the machine's administrator from installing any software which could conceivably break the OS's security. While such systems do exist, I find it hard to believe that anyone would think that such a system would make sense for a consumer or business computer. You're talking military security here, and it would be plain stupid for Apple or Microsoft to design their systems that way.

Who modded parent to +5?

[Viol8]

Insightful my arse. The guy obviously has no clue about how (non microkernel) operating systems and drivers work or tie together.

Maybe he hasn't Hurd of one...

[EccentricAnomaly]

Insightful my arse. The guy obviously has no clue about how (non microkernel) operating systems and drivers work or tie together.

So the monolithic kernel OS's are immune to this? Can you name one non-toy OS that isn't vulnerable to security flaws in a badly written driver?

Re:Uh... the "game's" rules are too strict

[frankie]

Except that 3rd party WiFi is pointless when every mobile Mac comes with AirPort.

What the hackers are actually claiming is: "I can take over any Mac. All I need to do is add this 3rd party hardware, install 3rd party drivers, disable the built-in version, and sneak away without you noticing several inches of antenna sticking out the side."

Re:

[mitchell_pgh]

It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]." Well, then the OS isn't secure. If 3rd-party drivers can break your security, it wasn't really there to begin with, now was it?

Actually, that seems very reasonable to me. Regardless of the OS, if I introduce bug ridden code at the driver level, you are introducing problems.

Analogy Time: If I replaced the built in firewall of OS X with something I code myself, should I get upset with App

Re:

[dafz1]

It's not ridiculous.

The problem lies in the fact that they used a third party wireless adapter. People buy Macs for a number of reasons, one of which being integration(the "Everything just works" argument). No one buys a wireless adapter for a Mac laptop, because they all come with one. If the Airport Extreme card stops working, almost all Mac users will either send it to Apple or take it to an Apple Store/Authorized Apple Service Center to be replaced.

Is OS X 100% secure? If you use a undocumented hack

Re:

[crush]

No one buys a wireless adapter for a Mac laptop, because they all come with one. Not true. A couple of months ago I was asked by some starving-student acquaintances to help them set up wifi in their apartment. They had two older PowerBooks neither of which had wireless of any sort built into them. Faced with spending either $20 x 2 (on sale at Fry's) for USB adapters [macosxhints.com] with an ralink rt2500 chipset [rapla.net] and a c.$70 Linksys-WRT54G router versus c.$80 x 2 (now reduced to $50)for the apple brand cards [outpost.com] and c.$200 [outpost.com]

Re:

[gnasher719]

'' It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]." Well, then the OS isn't secure. If 3rd-party drivers can break your security, it wasn't really there to begin with, now was it? ''

The problem with this argument is that we have no idea what the "exploit" actually was (if there was any; I mean these guys have been caught lying, so why would you believe anything? )

My suspicion is that the WiFi card + driver can be convinced to set up a wirele

Re:

[b1t r0t]

It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]." Well, then the OS isn't secure. If 3rd-party drivers can break your security, it wasn't really there to begin with, now was it?

That's a pretty weak argument. That implies that the OS would even have to protect against a 3rd-party driver that intentionally opens a root shell on a random TCP port.

A flaw in a 3rd-party driver is the fault of the driver vendor, not the OS vendor. Or we could

Re:

[ceejayoz]

You really find "we can't be responsible for other people's fuckups" to be unreasonable?

Re:

[sammy baby]

[sarcasm: on]

Right. Because trying to play a music cd on your computer and installing third party hardware and drivers are, like, exactly the same.

[sarcasm: off]

(How did the parent get modded insightful?)

Re:...or alternatively...

[jspectre]

Wouldn't say no user, but as most macs come with built in airport they rarely use 3rd party wifi adapters and drivers. Infact it's damn hard to find 3rd party wifi adapters and drivers. In any case it certainly isn't any fault of Apples if 3rd party equipment has vulnerabilities.

Re:

[galimore]

Really?

http://www.ioxperts.com/devices/devices_80211b.htm l [ioxperts.com]

You were saying? ;)

Re:

[shawb]

You really don't know what "think different" means. If it's not for sale at the Apple Store [apple.com] then it's not for the Mac. I only see one third party wireless USB device on the page, and that's a bluetooth adapter.

But yeah, the fact that the "security researchers" refuse to reveal information about the vulnerabilities really does make one question their motives, or whether the demonstration was even valid and not simply a rigged demo to help them win some 3133+ p1551ng |v|4t(h or something.

Re:...or alternatively...

[jspectre]

Sorry, I don't see Microsoft building their own hardware and installing their own drivers. Microsoft pretty much doesn't have a choice in using outside drivers, where as with Apple's gear (at least with wifi connections) you have to go out (way out) of your way to use 3rd party hardware and drivers.

I've had XP crash just browsing around in the Explorer, I'd consider that "normal" use.

Anyway, my original point was, don't say "no Apple users ever use third party hardware / drivers" but few do. And in this specific case very few would as wifi is 99% of the time already in your laptop so there is no need for a 3rd party wifi card/driver. In addition 3rd party wifi cards and drivers are damn rare for Macs. Well, you can pick up any USB wifi adapter, but try to find vendor supplied/supported drivers for the mac (there are plenty of open-source drivers trying out there).

Let's face it, the security team wanted to get noticed and bashing Apple's security was an easy way to do it. They got their 15 minutes of fame. Now people are looking at what they said and did and finding the flaws in what they did. If someone had looked at what they were doing beforehand the whole thing would have been laughed off..

Re:...or alternatively...

[Anonymous Coward]

Allow me to provide some background on one of the researchers. David Maynor has never been credited with the discovery of a vulnerability, even after several years at ISS X-Force. I have seen him present at three security conferences (two Blackhats and CANSEC) and not once have I seen him support his claims with any evidence. I am acquainted with a number of his former coworkers in the vulnerability research community and have been told by all of them not to place any stock in his caims. Based on that on the refusal to provide proof, I question this whole situation.

who are we to question?

[guet]

Yeah, so they should also trust two jokers on the internet who want to create a buzz around their presentation, and frame their demo so that it is bound to do so...? It cuts both ways.

Although we'll see nothing but speculation in this article and its comments, eventually the truth will be known, and we'll have an exploit which is documented and proven to work, or not. If Apple have a flaw, and won't admit it, that would light a fire under them wouldn't it?

Given the hackers comments :

Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.

It sounds like they were bullshitting to try to make a splash, which they did. Till I see proof, I'm not inclined to trust either side.

Re:

[marcello_dl]

I would add: why bother getting a 3rd party device if the built-in wireless were vulnerable? They'd have scored many more geek points 0wning a plain mac on stage and then saying "BTW also PCs are vulnerable".

Two faces of trust

[SuperKendall]

. People should ALWAYS trust what a company has to say about its own products. If Dell says there's no problem with their laptop batteries, they must be telling the truth. . right? On the same token, if Apple says that there is no problem with their wireless adapters or software, who are we to question them?

Myself, I trust the people who actually have the code to look at. In this case that would be Apple. They have done little that would lead me to think this statement was misleading.

If you blindly mistrust any company just because it is a company, you are just as badly off as if you blindy accept anythign any company says. You need to use common sense in evaluation statements from anyone.

Re:

[babbling]

Why wouldn't you trust the researchers in this case? Apple has something to lose by admitting a flaw.

Re:

[cyber-dragon.net]

Because as several posters have pointed out... these are not "researchers" with good reputations or a trusted security company or anyone else with any form of credibility. As such, to gain such credibility they must PROVE thier claims, which they flat out refuse to do.

Hell I would not even hold Microsoft, the king of security flaws, accountable for what some unknown guy did using a third party driver he will not produce to prove his claim. And if I would be scepticle about a security flaw in windows, which

"Reasearchers"?

[SuperKendall]

You put far too grand a face on the "researchers", who have a lot more to gain in reputation from "cracking the Mac".

Go back and read the whole story this thing is about.

Use Occams Razor and the truth may come to you.

Apples hold

[SuperKendall]

1) Apple stands to lose a lot more than the researchers have to gain. The researchers gain credibility for discovering a remote-code execution bug in an Apple product--big deal. There have been other remote-root bugs in Apple products. Do you remember any single person who discovered it? Do you even remember the flaws? Apple is building a reputation for being rock-solid and secure, but it's pretty unreasonable to believe that there are NO remote code executions in their products.

Come on, Apple's rep is not

Numbers

[SuperKendall]

Black Hat, you have a choice. You need to code a virus / worm, or develop something to take advantage of an exploit. Your goal is: Make as much money as possible. Your choices are: 1.) attack 2% of the market. 2.) Attack 6% of the market. 3.) Attack 92% of the market.

That's a poor way to look at it, and masks the situation you have with the Mac market today.

Any of those 92% of computers may vary wildly in terms of OS loaded or software used.

With the Mac you have tens of millions of computers (fourteen million registered OS X users). Lots of them are running the same software, the same browser, at the same OS rev.

Looking at the cost of renting botnets on the grey market those millions of computers represent millions of dollars of revenue, even if you crack just a percentage of them. So the question is why would someone leave that money on the table?

The answer is obvious - because it's a lot harder to hack a Mac to use in such a way. So it's not really numbers that are preventing the serious development of attacks today so much as a stronger security model. This would potentially be true even beyond the 80% marketshare point.

Basically the reason the Mac is safer today and will continue to be so even as market share climbs is the same philosophy behind avoiding being eaten by a bear - you just have to be able to run faster than the guy next to you. Windows is puffing something fierce.

Re:

[renoX]

I disagree about your logic, sure Mac are quite identicals but there as so few of them that if you were randomly trying to access a computer, you'd have much better odds of finding a PC with a specific software version too say WindowsXP+IE for example than finding a Mac at all.
So Mac doesn't make an interesting target because of their number.

Their security model is much better than Windows, that's true, so it helps but an interesting question is: what is the percentage of the users getting security updates

That is a key point

[SuperKendall]

Their security model is much better than Windows, that's true, so it helps but an interesting question is: what is the percentage of the users getting security updates on the computer? Because in case of remote exploitable vulnerabilities, the security model does'nt matter..

Actually the patching percentage on the Mac is much better, because by default a Mac is configured to check once a week and install updates. I have seen many Windows users turn off updates for a variety of reasons, but mostly because th

Re:

[FLAGGR]

Okay Einstein, then why did people make viruses for Mac prior to OS X, when there was even *less* marketshare?

Like another poster said, not all security models are built equal. Add up all the BSD, Linux and Mac marketshares, and there is still no exploits. The *nix crowd has a higher server marketshare than desktop, which makes them even more attractive for people to crack.

And btw, not all of 'em do it for money.

Re:

[LaughingCoder]

but the biggest threat to security isn't the architechture or the OS

You are correct, but don't expect aknowledgement in these parts - heck, you are lucky you weren't modded troll or flamebait. Now, you never said OS security or architecture was not a factor, only that it isn't the biggest factor. I agree with you. I think the main reasons Windows is such a target are the following:

1. the sheer number of Windows boxes [providing monetary motivation as you pointed out]
2. operated by non-technical peo

Re:

[skingers6894]

"Let's see what happens to "security" if the market share ever heads north of the 80% mark."

Now THERE'S a security problem Apple would like to have...

WWBS? (What Would Bruce Say?)

[Gary W. Longsine]

Oh, this could be a fun game. I'll start:

This is not mere grandstanding it is also an interesting twist on the ever-raging debate on full disclosure of security vulnerabilities. Eschewed were the two classic positions usually assumed by professionals in the field:

• disclose in public sufficient detail to demonstrate and reproduce (and sometimes fix) the vulnerability, which might or might not include sample exploit code, and
• disclose those details in secret to the vendor).

Rather than adopt a classic p

Already had the spin

[SuperKendall]

This entire quote is focused on the demo video, which the researcher in the video confirms does not affect the Mac. If Mac wasn't affected at all why not just say that, when be so narrow and specific. I am guessing there is a flaw in the default macbook and Apple in now trying to spin this.

We already had the spin - it was from the hackers who tried to claim they couldn't use a stock Macbook because Apple "leaned on them".

Come on, use Occams Razor. What hold would Apple have to lean on these guys? Isn't th