Hey, Maynor and Ellch were right! Sort of: Apple released three major vulnerability patches for its AirPort networking system today, but noted that no known exploit is available. The security bulletin describing the weaknesses indicates that an Apple adapter or a third-party adapter on an Intel-based Mac using Apple's Wi-Fi framework need only be turned on, not connected to a network. And the attack only need be "in proximity," but there's no mention of a requirement to be associated with the network.
The patches fix separate weaknesses that could allow properly crafted frames to cause an escalation in privileges, execution of arbitrary code, or system crashes. The PowerPC patch (for Mac OS X 10.3.9 and 10.4.7) mentions just arbitrary code execution; the two for Intel-based Macs (10.4.7) correspond to built-in AirPort support and third-party hooks for Wi-Fi support, and mention all three potential outcomes. (The PowerPC patch likely only affects 2003-and-later AirPort Extreme technology rather than Apple's 1999-2003 original 802.11b AirPort Card-based adapters and base stations.)
David Maynor and Jon Ellch confused the world by telling Brian Krebs of Security Fix at The Washington Post that they had discovered a weakness and developed an exploit against Mac OS X. They later amended this statement, although Krebs continues to claim to have seem a demonstration of it and has a transcript of Maynor stating that. A few weeks ago, Apple released a statement that they had been provided with no evidence showing the weaknesses, which would allow non-associated attackers to hijack computers without accessing a network, and without a Wi-Fi adapter being actively connected with a network.
I wrote about the confusion about who said what, later statements by Maynor and Ellch, additional detail from Brian Krebs and ZDNet's George Ou, and so forth in a Rashomon post.
Apple's Anuj Nayar told Macworld that Maynor's firm SecureWorks "did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," which is how these vulnerabilities were uncovered, he said. He also told Brian Krebs, "SecureWorks approached Apple with a potential flaw that they felt would affect the wireless drivers on Macs, but they didn't supply us with any information to allow us to identify a specific problem." I spoke briefly with Nayar this afternoon, who confirmed the accurate representation of his statements.
If you're a Kremlinologist of Apple and Wi-Fi, as I am, you can read two important facts out of Apple's security bulletin. First, they state for each of the three patches they released that there is no known exploit. That translates into plainer speech as, "We have seen no software code that can take advantage of this." Second, the bulletin omits any thanks to the reporting sources. Apple always publicly acknowledges--as most firms do--the people and/or organizations that provide direct information about security flaws.
Krebs describes this as Apple and SecureWorks differing over "which side found the flaw and how exploitable it really is." SecureWorks hasn't commented on this directly at all, and Krebs said as I post this that they hadn't responded to his request for comment. An IDG News Service story that appeared later note, "SecureWorks declined to comment further on the Apple matter." That sounds awfully final.
Perhaps that's because SecureWorks just merged with another firm yesterday? Could Maynor and Ellch's public complaints about lawyers refer, in fact, to the lawyers at SecureWorks who were trying to close the merger deal and didn't want outside distractions that might affect due diligence? The implication was that Apple was behind legal threats, which seems unlikely given the release of today's patches.
The next step here, if Maynor and Ellch are still maintaining that they had discovered a vulnerability as related by Brian Krebs's reporting on it, is for the two researchers or SecureWorks to release everything they have on this to show that Apple is being disingenuous. Because SecureWorks is now off the hook, right? I don't think there's a chance that we'll see that happen.
Were Apple to be lying about any of this isn't credible; that's a huge risk for a multi-billion-dollar public company to take, and one that, if it were a lie, would clearly result in lawsuits due to the security implications. I believe this might be the last we hear about this.
Update: I'm wrong about this being the last we hear about it. Maynor and Ellch are now scheduled to talk on Wireless Drivers at Toorcon at the end of September in San Diego. Note that while Maynor and Ellch have consistently said they're bad at dealing PR, that the description of the talk uses a particular rhetorical technique in describing the kerfuffle. "Since the first details of our demo were reported two camps instantly formed, people who thought the work and research was good and people thought we faked everything and we are horrible people."
In fact, there are several camps. You know the old joke--there are two kinds of people in the world: those who classify people into two groups and those who don't? There are those who believe that Maynor and Ellch are perfectly fine people and overstated the impact of their research, too.
There's also the problem that there is a very small camp of people who have seen "the work and research." Because none of this has been released, only a few non-disclosed people have ever seen what Maynor and Ellch allege is the vector of attack and the related (if any) exploit code.
Maynor and Ellch have continually tried to recast the aftermath of Black Hat as those of us reporting on it being a bunch of tech newbies who can't see the overall importance of their generic fuzzing approach which can reveal weaknesses that otherwise prove resistant to other forms of testing. Of course, that's never been what's reported on. The issue isn't whether a generic technique results in new methods for improving security; that's fantastic. Rather, whether the two researchers discovered anything in particular.
My prediction is that Maynor and Ellch continue to be evasive at the talk and fail to show any code samples or anything that provides convincing proof that they had an actual instead of theoretical weakness in hand at the time of the Black Hat talk.
Update to update: Okay, with a little more insight that I can't provide details about, I now believe Maynor and Ellch will provide a lot of detail at Toorcon. We'll have to wait and see.
And another update: George Ou runs through his timeline on the exploit/weakness debate. Ou has a variety of information that he is not allowed to disclose--he discloses that he can't disclose it--that lead him to state definitely that Apple is not giving Maynor and Ellch due credit. He'll be at Toorcon and offer coverage of that event.
David Maynor and Jon Ellch, in their original description of the bug, described it as a race condition that needed proper timing to execute. Apple's patches are described as fixing stack and heap vulnerabilities.
Before giving any credit to Maynor and Ellch, I'd like to see this apparent discrepancy resolved. Otherwise, the only credit they should get is for saying "the software has bugs," a statement that is not very creditworthy, as it is arguably true about every non-trivial piece of software ever written.