Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom

Contact

About This Site
Contact Us
Privacy Policy

Search


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
FAQ :: FAQ
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice

Archives

November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.

Copyright

Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« Lack of Public Tenders in Some Recent Deals | Main | Wi-Fi Waste Report »

February 28, 2007

Maynor Confirms Last Summer's Native Mac OS X Exploit

Security researcher David Maynor publicly confirmed during a presentation at Black Hat today that he and Jon Ellch had a native Mac OS X Wi-Fi exploit last summer: This is the first time Maynor has confirmed the fact. At the end of a presentation about weaknesses in wireless device drivers and techniques by which those weaknesses can be revealed and exploited, Maynor spoke extensively about his experience in working with Apple's product security, engineers, and PR group last summer. I was sent a copy of the presentation, which Maynor will post on his own site. He left SecureWorks, his employer at the time of last year's dust-up, and has his own security consulting firm now, Errata Security.

In brief, the issue at stake has been whether Maynor and Ellch fabricated an exploit, or whether Apple lied about said exploit; or whether a more baroque explanation could be made. The exploit would have allowed a cracker in radio proximity of a Mac running 10.4.6 and earlier, and possibly 10.4.7 (less certain patches), to gain control of the computer. You can read a relatively concise history I wrote after Apple provided Wi-Fi patches in Sept. 2006 that they claimed were in response to, but not as a result of work done by Maynor and Ellch. (That is, internal work was done at Apple because of concerns, not because of details supplied by the two, Apple said.)

Maynor said he will release code that will cause a Mac OS X 10.4.6 system to crash, but not to "own" it, or take root control. He'll show the control part in a future presentation. This would ostensibly be the code that he and Ellch had created last summer. I would like to assert that Maynor is speaking the truth here based on facts I have been asked not to disclose.

Why should we care? Because this was a significant weakness in an operating system used by millions of people. The response to reports of security problems are significant, as the failure to recognize and repair these problems leaves users vulnerable without being aware of being vulnerable. Researchers who follow reasonable disclosure should receive recognition as encouragement to continue to report these flaws so they can be fixed before the bad guys, typically organized crime using flaws to extract money or con people, take advantage of them.

In the presentation, he shows the emails he sent and describes conversations he had with Apple. Maynor had hoped to put the issue to rest over whether Apple had received material from him: he says and shows that he sent scripts and instructions on replication. I have no reason to believe his screen captures of email are false, nor the responses from Apple he reproduces.

However, and this is going to kill Maynor, what he is able to show from his own email account--he said he cannot show emails sent or received at his SecureWorks account--shows only that Apple received what he sent. It does not show that Apple deemed what he sent "useful." Apple spokesperson Anuj Nayar said at the time that SecureWorks--not mentioning Maynor or Ellch, who was not an employee of that firm, by name--provided no "information to allow us to identify a specific problem."

A later response from Apple's Lynn Fox to queries from George Ou seems to be directly contradicted by what Maynor said today. But there are lots of inconsistencies. In a first-hand account of the talk at News.com, Joris Evers says that Maynor said during his presentation that he sent Apple "code and...packet captures."  Fox says that they didn't receive anything related to OS X; Maynor's email shows how he told them how to construct an "FC3" (Fedora Core 3) system that would run the attacks he suggested revealed problems. It's rather confusing.

I have a query into Apple about Maynor's presentation.

It's possible that internal miscommunication within Apple meant that one part of the company received the details directly from Maynor and thought it was useful (read: engineers), while another part was dealing with SecureWorks, which may have provided or not provided a different set of information. SecureWorks was in the middle of a merger with a related firm at that point. It's clear that SecureWorks prevented information from being released to the public.

Maynor makes clear that he and Ellch never intended to show a native exploit, but only a third-party one. They never confirmed the existence of a native Wi-Fi driver exploit until Maynor's talk today. He didn't respond to John Gruber's hack-a-new-Mac challenge because he didn't want to confirm the existence of the flaw. And, he said, SecureWorks succumbed to pressure by Apple--what pressure is unclear, as there should have been no reasonable legal basis--to not speak at Toorcon about the Apple situation last September. SecureWorks and Apple later released a statement that the two firms would work together along with CERT, but no further information has ever been forthcoming.

Brian Krebs of Security Fix at the Washington Post said he saw a native exploit the night before last summer's presentation that led off all this nonsense, but Maynor and Ellch apparently didn't intend to have that information released. It's a reason why they never confirmed Krebs' transcript or account to Krebs or anyone else. It's also unclear whether Krebs saw the actual native exploit, or something akin to it; he apparently did see an exploit without a third-party driver involved. Krebs has been left hanging over this issue this whole time, too, although it hasn't seemed to bother him. News.com reports that Maynor said during the presentation that "I screwed up a little bit" in regards to the confusion about what had been demonstrated.

Maynor wrote in his presentation that he lost patience with Apple after agreeing to provide them information, and their PR arm released statements that broadly denied the existence of flaws that went beyond what Maynor and Ellch had shown and stated was the issue. In an email from Fox in Apple PR that Maynor reproduces in his talk, he notes that she asked him to put a statement on SecureWorks site that would describe more specifically what was demonstrated at Black Hat and to Krebs. What Fox asked for was too broad and possibly inaccurate: she wanted him to deny that any MacBook exploit was possible, and to state that Krebs had not seen any native exploit. Given the confusion around what Krebs saw, I'm not clear whether Fox would have known precisely what Krebs saw, either.

What SecureWorks published was something different--see this archived Security Focus mailing list item, as SecureWorks has pulled the page from their site during a redesign (scroll down to find it). SecureWorks statement, based on what Maynor now confirms, is accurate.

At the end of this presentation, Maynor notes in passing that even after he received the mail he disliked from Fox, he provided information to Apple about a significant Bluetooth vulnerability, one that hasn't yet been fixed. Maynor said this experience has led him to have no interest in providing information to Apple again about security flaws. That's to all our detriment.

12 Comments

"I would like to assert that Maynor is speaking the truth here based on facts I have been asked not to disclose."

Good Lord, I never expected to see something like that from someone more reputable than George Ou. Why can't Maynor just shut the hell up until he's ready to prove that he can hack 10.4.6. He's not ready? Fine! but at least shut up. I'm not the least bit impressed that he can crash it. I could do that much. I wouldn't be that surprised if he can crash today's driver. The only thing that matters is the claim of taking control. Even some limitations, like non-default settings, will be forgiven, just show us a REAL hack, or.... shut.... up. - Thank you.

As far I'm concerned the only thing that David Maynor has managed to prove is that even unpatched Macs are impregnable to attack, and Mac OS X remains invulnerable. There is nothing to show Maynor and Ellch were not irresponsible, frauds, and shared nothing with Apple.

Glenn -- thank for the posting.

I still blame Krebs -- it was his botched reporting that started this entire mess, and you while you note that Krebs has been left hanging, the larger part of the problem is Maynor's ability to tell a straight story.

Even now -- he'll show something that crashes a Mac, but won't show control until he can gin up some more PR for thi new firm? Please.

I'll wait to see the presentation, but it sounds as if Apple's point was true: they did not get information from him on an attack on the native airport drivers.

I'm sorry, but this is just a little too convenient. AFTER Apple patches OSX, months after in fact, then he comes out and shows an exploit. One, in fact, totally different from the one he "showed" last year. Here, it crashes OSX, last year, it allowed access to OSX. My theory is that he just took the bugs Apple fixed, went back and found a crash, and is showing that here. He never found an exploit- Apple did through their own internal investigation.

Based on facts I have been asked not to disclose, I will asert that there are 5 undisclosed vulnerabilities in Vista that can be exploited remotely.

Think about it. Am I any more credible than any other such assertions? What if I got 5 other people to back me up? Would that change my credibility?

Call me when Maynor releases the source and it's independently verified.

Until then? Still not interested in his claims.

(As Apple has released fixes, I see no reason at all why Maynor can't release his code, unless he's simply Full Of It and the exploit required a third-party piece of hardware and driver, as people like Gruber and the Macalope were saying since day 1.)

Umm..I did release the code, it should be showing up on websites at any time. The code proves you can control both a broadcom based powerbook and an atheros based macbook. The only thing missing from the code is the weaponized shellcode which is part of a talk I am doing in a few months.

In addition to the code I released emails showing I told Apple about at least one one the problems that claimed were found due to an internal audit.

[Editor's note: David, the comments here about releasing the code are accurate: You may have "released" the code, but it's not yet available for anyone to retrieve, as you say it should show up "at any time." Fair enough. But there's a significant difference! -gf]

Asserting now that Apple's patches defeat Maynor's year-old hack, while promising again to release the details of the hack at some future date, proves nothing about whether Apple wrongly denied him credit. The word "confirms" belongs nowhere in your headline.

And geez, Glenn, any facts that you've been asked not to disclose would be the only new information in your summation. If you can't disclose them, what about this qualifies as news?

"He didn't respond to John Gruber's hack-a-new-Mac challenge because he didn't want to confirm the existence of the flaw."

Seriously? Because he was worried about -- what, exactly? What factors argued against clearing his name, especially after he left SecureWorks and set up his own shop? Restoring his credibility would seem pretty important under those circumstances. And he still hasn't done it.

[Editor's note: Make sure and differentiate between what was ascribed to Maynor and what he actually wrote or said, say, on his own blog or in this presentation. And there is new information: When Maynor makes his presentation available, which he has said he will, you'll be able to see some of the email he sent to Apple. I've seen that, but I don't have permission to post the presentation.--gf]

facts I have been asked not to disclose

You'll excuse me if I burst out laughing. The amount of intrigue in this whole situation is ridiculous. It boils down to two questions

(1) Did they, or did they not, crack the (wireless) Mac?
(2) Did Apple lie, whether intentionally or otherwise?

It is simple to answer (1): release the exploit, permit independent verification.

It is not simple to answer (2) without requisitioning Apple's corporate email database. I'm not believing anyone, given all of the apparently intentional obfuscation (on the part of several parties) surrounding this supposed crack, without corroborating evidence. I can forge any email thread you like in my word processor, given sufficient time.

Maynor: there is no value in further delaying the release of anything. Reputations do not recover value from avengement in delayed manner, at least not until it's long past too late.

[Editor's note: You're right that this boils down to those two facts. I try to not promise unlimited nondisclosure to people who provide me information, but I was too interested in what they had to say. So I have to say something stupid like I can't disclose facts that would make this much clearer. Maynor needs to provide more details, and he needs to release a host of people from their agreements to stay silent since it's all moot now, their silence.-gf]

Glenn -- it looks as if the PPT is up on the ZDNET site (Scroll to the bottom)

http://blogs.zdnet.com/security/?p=108

I've been a critic of Krebs's reporting on this - it was his original sloppy reporting (claiming a native exploit when the video showed a 3rd party card) that started the firestorm. I do think that a lot of people have been approached by Maynor and told "let me show you something in return for your silence" and that approach has only served to further inflame the story.

My own observations about Maynor is whatever his intentions, he cannot stay on message -- every time he opens his mouth a new story comes out. Although I appreciate your bringing us this information, it is very dangerous to base any logic on what Maynor says -- because he'll probably say something slightly different in a few minutes.

In terms of the powerpoint, you can see copies of the emails in the powerpoint although it would impossible to establish their veracity. If you assume everything he says is true, at best it establishes that he told Apple about a bug in the Broadcom drivers -- which was never publicly disclosed -- and helped build a linux box for hosting wireless attacks.

I also don't agree with his logic about not releasing his SecureWorks emails. He may be generally right that the emails don't belong to him -- under that reading I'm not his .Mac emails belong to him either -- they were done while he was working at SecureWorks. It's also very difffernt than the Lynn situation he cites -- that involved IP that belonged to Cisco vs. disclosing emails.

All we ever asked for last year was proof. The idea that Apple silenced Maynor and Secureworks is .... well, it's difficult to believe in that MOAB and others release vulnerabilities in OS X all the time, and Apple fixes them, and those who revealed the problem get credit.

So, why would Apple launched lawyers and PR firms on Maynor for this problem? Perhaps if Krebs hadn't written that awful article with the misleading headline when the demonstrated hack in fact used a 3rd party card and 3rd party driver ... this all would have been handled calmly like so many other vulnerability fixes.

I also think it's strange that he is releasing something that crashes the machine instead of breaking into it. If you consider that this is different than the original highly-publicized video, there is another possibility. The first video was a fraud, and this new exploit was created based on information provided to the public by Apple when they independently patched flaws in their WiFi implementation. I'm not saying this is what happened, but it occurs to me that it could be possible. That could explain the long wait and the fact that the exploit is quite different than the video. Also, the weaponized shellcode won't show up for a few more months? That gives them time to write it. Again, I'm not saying this is the case, but with this avoidance, a lot of doubt is cast.