It's the news we've all been waiting for! Well, not actually: David Maynor has released an extensive report on how he discovered, tracked down, and exploited a weakness in Mac OS X 10.4.6 Wi-Fi drivers (checked against the MacBook and Intel Mac mini, Maynor notes) that allowed kernel-level code execution. The report is extremely technically detailed and beyond my ability to confirm. Perhaps someone can load up an appropriate computer with 10.4.6 and follow his instructions to duplicate what he achieved? (Update: A couple of colleagues plan to try this.)
The definition of proof is not assertion backed by additional asserted statements. It's a set of information that, when examined, a person with the right set of knowledge can reproduce or at least confirm. Maynor didn't provide details that would amount to proof, if confirmed, outside of private demonstrations and limited bits and pieces until today.
Maynor promised some of this back in February, and promised the release of more within a few days of a presentation he gave in which he offered some details on the Aug. 2006 exploit that he and then-colleague Jon "Johnny Cache" Ellch created (see the comments on the linked post): "I did release the code, it should be showing up on websites at any time" he wrote on March 2. I wasn't able to get an explanation as to the delay; Maynor has been constrained because he developed the exploit while employed by a company that clearly didn't want him to continue to talk about it. He's independent now, one of the principals of Errata Security, but his old correspondence and other work data is clearly still out of bounds.
The controversy that emerged last year had a few parts. First, what did Maynor and Ellch say and then not say? That is, did they claim a hack, then recant it, then de-recant it? What did they show Brian Krebs of the Washington Post? It's clear they jiggered their demonstration video, but did it affect its verity? Did they, in fact, truly find a exploit, report it to Apple, and get hung out to dry by Maynor's then-employer and "Apple PR," as Maynor described it?
Well, we can't answer most of those questions. I have no expectation that Maynor spent a year developing an exploit that works on a deprecated release of OS X. If this works, it surely worked a year ago. I have no doubt that Maynor is genuine and sincere, nor Ellch either (I liked Ellch's co-written book on hacking 802.11). But what I and other colleagues like Daring Fireball's John Gruber--none of us "zealots," "fanboys," or mouthpieces of Apple PR as have been variously alleged--have wanted is simple proof rather than assertion.
This first report, with more promised, isn't simple proof, But it should be verifiable by a party that has no vested interest. Via email last week with Maynor, which I won't disclose per my policy of keeping the contents of received email private, I suggested that if he had simply showed that he could "own" a Mac OS X 10.4.6 system provided by a third party in a controllable situation, this whole situation would have been much more in his favor last year. Or at any time. I won't provide his response. (Gruber offered first one and then two brand-new MacBooks for a successful in-person demonstration of the exploit.)
Back in March I published my "Last Post" on this matter, but said "probably, maybe, almost certainly the last post." Okay, so perhaps this is getting close to it. Maynor hints that he has undiscovered, unpatched exploits to come.