Security researcher David Maynor publicly confirmed during a presentation at Black Hat today that he and Jon Ellch had a native Mac OS X Wi-Fi exploit last summer: This is the first time Maynor has confirmed the fact. At the end of a presentation about weaknesses in wireless device drivers and techniques by which those weaknesses can be revealed and exploited, Maynor spoke extensively about his experience in working with Apple's product security, engineers, and PR group last summer. I was sent a copy of the presentation, which Maynor will post on his own site. He left SecureWorks, his employer at the time of last year's dust-up, and has his own security consulting firm now, Errata Security.
In brief, the issue at stake has been whether Maynor and Ellch fabricated an exploit, or whether Apple lied about said exploit; or whether a more baroque explanation could be made. The exploit would have allowed a cracker in radio proximity of a Mac running 10.4.6 and earlier, and possibly 10.4.7 (less certain patches), to gain control of the computer. You can read a relatively concise history I wrote after Apple provided Wi-Fi patches in Sept. 2006 that they claimed were in response to, but not as a result of work done by Maynor and Ellch. (That is, internal work was done at Apple because of concerns, not because of details supplied by the two, Apple said.)
Maynor said he will release code that will cause a Mac OS X 10.4.6 system to crash, but not to "own" it, or take root control. He'll show the control part in a future presentation. This would ostensibly be the code that he and Ellch had created last summer. I would like to assert that Maynor is speaking the truth here based on facts I have been asked not to disclose.
Why should we care? Because this was a significant weakness in an operating system used by millions of people. The response to reports of security problems are significant, as the failure to recognize and repair these problems leaves users vulnerable without being aware of being vulnerable. Researchers who follow reasonable disclosure should receive recognition as encouragement to continue to report these flaws so they can be fixed before the bad guys, typically organized crime using flaws to extract money or con people, take advantage of them.
In the presentation, he shows the emails he sent and describes conversations he had with Apple. Maynor had hoped to put the issue to rest over whether Apple had received material from him: he says and shows that he sent scripts and instructions on replication. I have no reason to believe his screen captures of email are false, nor the responses from Apple he reproduces.
However, and this is going to kill Maynor, what he is able to show from his own email account--he said he cannot show emails sent or received at his SecureWorks account--shows only that Apple received what he sent. It does not show that Apple deemed what he sent "useful." Apple spokesperson Anuj Nayar said at the time that SecureWorks--not mentioning Maynor or Ellch, who was not an employee of that firm, by name--provided no "information to allow us to identify a specific problem."
A later response from Apple's Lynn Fox to queries from George Ou seems to be directly contradicted by what Maynor said today. But there are lots of inconsistencies. In a first-hand account of the talk at News.com, Joris Evers says that Maynor said during his presentation that he sent Apple "code and...packet captures." Fox says that they didn't receive anything related to OS X; Maynor's email shows how he told them how to construct an "FC3" (Fedora Core 3) system that would run the attacks he suggested revealed problems. It's rather confusing.
I have a query into Apple about Maynor's presentation.
It's possible that internal miscommunication within Apple meant that one part of the company received the details directly from Maynor and thought it was useful (read: engineers), while another part was dealing with SecureWorks, which may have provided or not provided a different set of information. SecureWorks was in the middle of a merger with a related firm at that point. It's clear that SecureWorks prevented information from being released to the public.
Maynor makes clear that he and Ellch never intended to show a native exploit, but only a third-party one. They never confirmed the existence of a native Wi-Fi driver exploit until Maynor's talk today. He didn't respond to John Gruber's hack-a-new-Mac challenge because he didn't want to confirm the existence of the flaw. And, he said, SecureWorks succumbed to pressure by Apple--what pressure is unclear, as there should have been no reasonable legal basis--to not speak at Toorcon about the Apple situation last September. SecureWorks and Apple later released a statement that the two firms would work together along with CERT, but no further information has ever been forthcoming.
Brian Krebs of Security Fix at the Washington Post said he saw a native exploit the night before last summer's presentation that led off all this nonsense, but Maynor and Ellch apparently didn't intend to have that information released. It's a reason why they never confirmed Krebs' transcript or account to Krebs or anyone else. It's also unclear whether Krebs saw the actual native exploit, or something akin to it; he apparently did see an exploit without a third-party driver involved. Krebs has been left hanging over this issue this whole time, too, although it hasn't seemed to bother him. News.com reports that Maynor said during the presentation that "I screwed up a little bit" in regards to the confusion about what had been demonstrated.
Maynor wrote in his presentation that he lost patience with Apple after agreeing to provide them information, and their PR arm released statements that broadly denied the existence of flaws that went beyond what Maynor and Ellch had shown and stated was the issue. In an email from Fox in Apple PR that Maynor reproduces in his talk, he notes that she asked him to put a statement on SecureWorks site that would describe more specifically what was demonstrated at Black Hat and to Krebs. What Fox asked for was too broad and possibly inaccurate: she wanted him to deny that any MacBook exploit was possible, and to state that Krebs had not seen any native exploit. Given the confusion around what Krebs saw, I'm not clear whether Fox would have known precisely what Krebs saw, either.
What SecureWorks published was something different--see this archived Security Focus mailing list item, as SecureWorks has pulled the page from their site during a redesign (scroll down to find it). SecureWorks statement, based on what Maynor now confirms, is accurate.
At the end of this presentation, Maynor notes in passing that even after he received the mail he disliked from Fox, he provided information to Apple about a significant Bluetooth vulnerability, one that hasn't yet been fixed. Maynor said this experience has led him to have no interest in providing information to Apple again about security flaws. That's to all our detriment.