Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom


About This Site
Contact Us
Privacy Policy


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice


November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.


Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« Economist on Train-Fi; Virgin Commits to Rail-Fi, Too | Main | Washington State Ferries Award Wi-Fi Contract »

September 21, 2006

Apple Patches Its Wi-Fi Security Weaknesses

Hey, Maynor and Ellch were right! Sort of: Apple released three major vulnerability patches for its AirPort networking system today, but noted that no known exploit is available. The security bulletin describing the weaknesses indicates that an Apple adapter or a third-party adapter on an Intel-based Mac using Apple's Wi-Fi framework need only be turned on, not connected to a network. And the attack only need be "in proximity," but there's no mention of a requirement to be associated with the network.

The patches fix separate weaknesses that could allow properly crafted frames to cause an escalation in privileges, execution of arbitrary code, or system crashes. The PowerPC patch (for Mac OS X 10.3.9 and 10.4.7) mentions just arbitrary code execution; the two for Intel-based Macs (10.4.7) correspond to built-in AirPort support and third-party hooks for Wi-Fi support, and mention all three potential outcomes. (The PowerPC patch likely only affects 2003-and-later AirPort Extreme technology rather than Apple's 1999-2003 original 802.11b AirPort Card-based adapters and base stations.)

David Maynor and Jon Ellch confused the world by telling Brian Krebs of Security Fix at The Washington Post that they had discovered a weakness and developed an exploit against Mac OS X. They later amended this statement, although Krebs continues to claim to have seem a demonstration of it and has a transcript of Maynor stating that. A few weeks ago, Apple released a statement that they had been provided with no evidence showing the weaknesses, which would allow non-associated attackers to hijack computers without accessing a network, and without a Wi-Fi adapter being actively connected with a network.

I wrote about the confusion about who said what, later statements by Maynor and Ellch, additional detail from Brian Krebs and ZDNet's George Ou, and so forth in a Rashomon post.

Apple's Anuj Nayar told Macworld that Maynor's firm SecureWorks "did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," which is how these vulnerabilities were uncovered, he said. He also told Brian Krebs, "SecureWorks approached Apple with a potential flaw that they felt would affect the wireless drivers on Macs, but they didn't supply us with any information to allow us to identify a specific problem." I spoke briefly with Nayar this afternoon, who confirmed the accurate representation of his statements.

If you're a Kremlinologist of Apple and Wi-Fi, as I am, you can read two important facts out of Apple's security bulletin. First, they state for each of the three patches they released that there is no known exploit. That translates into plainer speech as, "We have seen no software code that can take advantage of this." Second, the bulletin omits any thanks to the reporting sources. Apple always publicly acknowledges--as most firms do--the people and/or organizations that provide direct information about security flaws.

Krebs describes this as Apple and SecureWorks differing over "which side found the flaw and how exploitable it really is." SecureWorks hasn't commented on this directly at all, and Krebs said as I post this that they hadn't responded to his request for comment. An IDG News Service story that appeared later note, "SecureWorks declined to comment further on the Apple matter." That sounds awfully final.

Perhaps that's because SecureWorks just merged with another firm yesterday? Could Maynor and Ellch's public complaints about lawyers refer, in fact, to the lawyers at SecureWorks who were trying to close the merger deal and didn't want outside distractions that might affect due diligence? The implication was that Apple was behind legal threats, which seems unlikely given the release of today's patches.

The next step here, if Maynor and Ellch are still maintaining that they had discovered a vulnerability as related by Brian Krebs's reporting on it, is for the two researchers or SecureWorks to release everything they have on this to show that Apple is being disingenuous. Because SecureWorks is now off the hook, right? I don't think there's a chance that we'll see that happen.

Were Apple to be lying about any of this isn't credible; that's a huge risk for a multi-billion-dollar public company to take, and one that, if it were a lie, would clearly result in lawsuits due to the security implications. I believe this might be the last we hear about this.

Update: I'm wrong about this being the last we hear about it. Maynor and Ellch are now scheduled to talk on Wireless Drivers at Toorcon at the end of September in San Diego. Note that while Maynor and Ellch have consistently said they're bad at dealing PR, that the description of the talk uses a particular rhetorical technique in describing the kerfuffle. "Since the first details of our demo were reported two camps instantly formed, people who thought the work and research was good and people thought we faked everything and we are horrible people."

In fact, there are several camps. You know the old joke--there are two kinds of people in the world: those who classify people into two groups and those who don't? There are those who believe that Maynor and Ellch are perfectly fine people and overstated the impact of their research, too.

There's also the problem that there is a very small camp of people who have seen "the work and research." Because none of this has been released, only a few non-disclosed people have ever seen what Maynor and Ellch allege is the vector of attack and the related (if any) exploit code.

Maynor and Ellch have continually tried to recast the aftermath of Black Hat as those of us reporting on it being a bunch of tech newbies who can't see the overall importance of their generic fuzzing approach which can reveal weaknesses that otherwise prove resistant to other forms of testing. Of course, that's never been what's reported on. The issue isn't whether a generic technique results in new methods for improving security; that's fantastic. Rather, whether the two researchers discovered anything in particular.

My prediction is that Maynor and Ellch continue to be evasive at the talk and fail to show any code samples or anything that provides convincing proof that they had an actual instead of theoretical weakness in hand at the time of the Black Hat talk.

Update to update: Okay, with a little more insight that I can't provide details about, I now believe Maynor and Ellch will provide a lot of detail at Toorcon. We'll have to wait and see.

And another update: George Ou runs through his timeline on the exploit/weakness debate. Ou has a variety of information that he is not allowed to disclose--he discloses that he can't disclose it--that lead him to state definitely that Apple is not giving Maynor and Ellch due credit. He'll be at Toorcon and offer coverage of that event.

1 Comment

David Maynor and Jon Ellch, in their original description of the bug, described it as a race condition that needed proper timing to execute. Apple's patches are described as fixing stack and heap vulnerabilities.

Before giving any credit to Maynor and Ellch, I'd like to see this apparent discrepancy resolved. Otherwise, the only credit they should get is for saying "the software has bugs," a statement that is not very creditworthy, as it is arguably true about every non-trivial piece of software ever written.