Network News

X My Profile
View More Activity

Exploit Released for Unpatched Apple Wi-Fi Flaw

Update, 4:35 p.m. ET: Lynn Fox over at Apple called back with the following statement:

"We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs. We are currently investigating the issue."

Original Post From Earlier Today:

Security researcher HD Moore today released computer code showing how attackers can exploit an unpatched flaw present in the wireless drivers in some Apple Macintosh computers.

"With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD'ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," said LMH (the alias of the hacker who runs the Kernelfun blog) -- referring to an Apple wireless driver issue covered by Security Fix earlier this year (the links in the quote are his).

Moore said he tested the exploit on a 1.0Ghz PowerBook running Mac OS X 10.4.8 with the latest updates (Halloween, 2006). "The fastest way to trigger this bug is to place the card into active scanning mode. This can be accomplished by launching Kismac [a wireless network scanning program] with the active scanning driver, or by using the 'airport' utility provided with OS X."

While Apple released updates in September to fix at least three problems in its wireless drivers, there is currently no fix available from Apple for the flaw detailed by Moore.

I exchanged a series of e-mails with Moore today to ask about some of this exploit's more technical details, which can be viewed here for anyone interested. In a nutshell, he says the exploit is somewhat unreliable as written, but that it could be made more so if someone spent a bit more time finessing it. He also said "it may be possible to make this exploit reliable by hammering the Airport driver with requests while triggering the bug."

Moore has since folded the exploit into Metasploit 3.0, a free software tool built to help users exploit security flaws against a variety of operating systems and third-party software applications.

The vulnerability is the first in a series of daily bug details to be released over the next 29 days as part of the "Month of Kernel Bugs" project. LMH said we can expect at least five more Apple kernel bugs to be detailed in the coming days, as well as kernel flaws in Linux, BSD, and Solaris 10 systems.

The "kernel" is probably the most vital and fundamental area of any computer system, as it handles the transfer of information between hardware and software on a machine, among other things. Kernel flaws are serious vulnerabilities, but kernel flaws that are exploitable remotely are extremely dangerous, because an attacker can use them to completely subvert the security of the target machine, usually regardless of the presence of security software or the system privileges of the user account the victim happens to be running at the time.

I put a call in to Apple spokeswoman Lynn Fox and will update this post if I hear back from the company. I also pinged David Maynor from SecureWorks to determine if this was related to the exploit I saw at the BlackHat security conference in Las Vegas this summer, but I've not yet received a response from him either.

I did catch up with Maynor's co-presenter, Johnny "Cache" Ellch, who said the bug Moore released today is unrelated to the flaw detailed at Black Hat.

By Brian Krebs  |  November 1, 2006; 1:25 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Congressman Comes to Defense of Boarding Pass Hacker
Next: 14 Arrested for Credit Card, Phishing Scams



Where's Charlie?

I take HD Moore's 'month of anything' as bitter sweet but sure am glad he started the month out with an exploit to an unpatched **APPLE** driver. Looks like pie is in Apple's face and all those smug fanatic Mac people. All the facts weren't out after Blackhat but now they are!

Posted by: hehehe | November 1, 2006 2:19 PM | Report abuse

The earlier SecureWorks attack was stated as working against an out-of-the-box MacBook, which just came out in the last year.

This new attack listed in this article appears to work on Powerbooks from 1999-2003.

So the SecureWorks attack seems to still be under question ...

Posted by: Bill Blackmon | November 1, 2006 3:00 PM | Report abuse

It seems like we're reading about mac security flaws a bit more, but every time they're "theoretical" or "possible" or "could be developed" or something. Are people fishing for a story about Mac problems--that they're not impenatrable?

By contrast, when we read of windows flaws, it seems that half the time (or more), it's describing an actual hacker attack that has already infiltrated hundreds or more computers world-wide.

Why is this?

Posted by: ah | November 1, 2006 3:30 PM | Report abuse

'Why is this?'

It's because Windows security is a lost cause; because OS X being Unix means the bar is set higher - than even Apple choose to raise it; and because security experts like HD Moore found the flaw.


Posted by: Rick | November 1, 2006 5:25 PM | Report abuse

This article is so lame. It reads as sensationalist drivel. Gimme a break.

Posted by: Jeff | November 1, 2006 5:58 PM | Report abuse

First off, OS X is not UNIX. It's BSD, which is derived from the same codebase and has mostly the same semantics, but it is incorrect, if for no other reason than trademark, to state that a BSD system is UNIX.

Windows receives far more attention from malware authors for quite a few reasons. The biggest reason is population. The current drive in malware is building botnets. Botnets are most efficient and easiest to control when they're monolithic. No one is going to waste time building a botnet out of the tiny fraction of systems out there running OS X, Linux, etc.

I am far from a Windows advocate, but there really is no security feature present in BSD, UNIX, or Linux that is not present in Windows. (Well, maybe program address space randomization, but I'm not sure whether OS X implements it--Solaris does not, most Linux distros do.) In fact, the NTFS file system implemented features such as ACLs long before they became popular in UNIXy operating systems, and to date, very few UNIXy users bother to use ACLs, whereas reasonable advanced Windows users use them all the time. The access control capabilities for Windows network shares put things like NFS to shame. And Windows group definitions are far more flexible and useful than the traditional UNIX variety. In particular, UNIX fails pretty badly by having only two types of user: root and non-root. This scheme doesn't have adequate granularity for a lot of situations. Traditionally it's worked around using elaborate group permissions, which is klugey and inadequate because UNIX groups aren't hierarchical. In recent years the capabilities feature has arisen, but hasn't sufficiently matured.

Windows's real problems have a lot more to do with the vast base of available applications that do not behave well when the system security is correctly employed. This has created a kind of inertia that keeps people from configuring Windows boxes securely; once you do it, you never know what app is going to break, maybe only when you try to use one particular feature weeks later. Microsoft has, to both its shame and its credit, put too much emphasis on backwards compatibility and not enough emphasis on phasing out vestigial semantics (8.3 filenames, anyone? That came from CP/M!). If Microsoft had designed NT without catering to every whim of a DOS user, Windows would be in much better shape today. They've had multiple opportunities to rectify that, and we'll see if they finally get it right with Vista.

Posted by: antibozo | November 1, 2006 9:10 PM | Report abuse

The sky is falling!

Posted by: KenC | November 1, 2006 9:20 PM | Report abuse

"First off, OS X is not UNIX. It's BSD, which is derived from the same codebase and has mostly the same semantics, but it is incorrect, if for no other reason than trademark, to state that a BSD system is UNIX."

I don't need to read any further to know that anything that follows is drivel, but it gets even worse:

"...there really is no security feature present in BSD, UNIX, or Linux that is not present in Windows."

Posted by: Zeke | November 2, 2006 1:07 AM | Report abuse

Wait, let me make sure I understand this, there is an UNPATCHED Apple vulnerability!?

@antibozo, unfortunately the near infinite flexibility is part of the problem, for instance out of the box XP boots the new user as an admin while this is not true of Macs. Vista does apparently finally address that.

Posted by: DBH | November 2, 2006 10:14 AM | Report abuse

why would someone waste their time writing exploits for an operating system that has less than 5% of the market? seems like a waste of time.

I agree with the statement that backwards compatibility is a big problem for microsoft. hopefully they will do something about it with vista.

Posted by: Anonymous | November 2, 2006 11:18 AM | Report abuse

Please ask Moore these two questions:
1- Why the hell didn't he report this directly to Apple and give them a chance to patch before he went public?

2- If the exploit can only be used to cause a kernel panic, how can he possibly do anything other than simply bring the machine to a halt? In OS X, there is really no way to recover from a kernel panic, it stops the machine in it's tracks.

So that people understand what is going on, you would actually need to be within range of the attacker with your Airport card in active scanning mode for this exploit to work. Not to say that this isn't an important issue with the prevalence of wifi hot spots these days, but it does require the attacker to be within close proximity.

Posted by: Troy | November 2, 2006 2:01 PM | Report abuse

Hmmm, someone's not been keeping up with the news lately, Gartner announced last month that Apple's US market share is now 6.1%. So they're no longer under 5%.

And making statements like yours using market share when installed base is more to the point just shows your ignorance of the issues.

Writing botnet code is kinda like the burgler that goes down the street looking for a victim. Is he going to try the door at the brightly lit house where there's no concealing brush and a loudly barking dog? No, he's going next door to the house that sports concealing brush by the side door where there's no light and the owner's car is gone. In other words, he's going for the easy mark.

More Windows users own old PCs with old unpatched versions of Windows than own newer versions patched against the vulnerabilities he looks to exploit. He's going to ignore the Macs and Linux because they use security schemes that make it more difficult (not impossible, note) to take advantage of those systems.

Note that this is NOT the old tired, security through obscurity mantra. At first glance, it looks like it, but the REAL reason Windows gets hit by these things is simply because there are more unpatched Windows boxes easily compromised than otherwise. Note that I include PATCHED Windows boxes in the same class as Linux and Macs - because as patched, they are less likely to be easily exploited. Users that regularly patch their Windows boxes are more likely to be careful surfers, who will be less likely to get compromised.

So like I said, it is the unpatched boxes who are owned by the masses of clueless owners that will click on anything someone sends them that are likely to get compromised, and are the REAL targets of the botnet operators. In reality, platform is irrelevant to them, it is actually how easy it is to compromise the system that matters.

Since there are upwards of twenty million Macs out there, and most botnets number in the 5 to six figures, there are plenty of Mac boxes available for botnet operators. The issue is twofold. First, they need to know how to write code for the Mac. Second, they need a vulnerability, widely unpatched, to exploit. Assuming such an exploit is eventually discovered, (which one will, I am sure) one must determine just how many Macs won't get patched. Given just how easy it is to patch Macs, and that the update mechanism in Mac OS X is on by default, it is probably very common for users to just leave it on and update when prompted. So there probably won't be very many left vulnerable. So will Macs get hit by the botnet attackers? Even if botnet operators were willing to learn how to code for OS X?

Probably not, and market share is the last of the reasons why not.

Posted by: rahrens | November 2, 2006 2:04 PM | Report abuse

rahrens, I agree with much of what you say, but I think your conclusion is logically incorrect. To see why, simply imagine a future in which Mac OS X systems outnumber Windows PCs by a factor of 20:1 or so. Do you really think that, in that scenario, botnet operators wouldn't target Mac OS X systems?

And don't assume that the targeted vulnerability has to be in the OS. There have been plenty of vulnerabilities in, for example, Firefox, that could have been used to install malware on Linux, BSD, OS X, etc. systems, and plenty of people continue to use unpatched versions of Firefox and Thunderbird. If I just look at the logs on one of my web servers, I see plenty of hits from Mac users using versions of Firefox 1.5 as old as These users are vulnerable; if they're not compromised, it's solely because they haven't been targeted with Mac OS shellcode.

And don't believe the myth that, because OS X users are not running as root, they're safe. Any user can install malware--not, perhaps, in protected system directories, but in plenty of other locations. I'm a Linux user. If I were to assume that because I'm working as a non-root user I'm immune to attack, I'd be just as foolish as the Windows user who doesn't patch his system. For the time being, any safety I enjoy in my choice of platform derives from the fact that there aren't that many Linux users out there, and that--perhaps--relatively few of the malware authors have mad Linux coding skillz. But there are plenty of people out there who could, if they wanted to, compromise my system if I hit the wrong site with an unpatched browser, and would be equally true if I were running OS X.

It really is all about population numbers, whether you call it market share or anything else. If there's a major factor after that, it's that Windows is more reviled than Linux or BSD, and is hence the subject of more malicious intent. Maybe, after that, the essential security architecture of the OS itself comes into play. But, as I say, the underlying NT architecture, if it's installed and maintained correctly, is quite good; in ways it reflects a more modern concept of the OS than *NIX. It's weak in practice because it is almost never installed and maintained correctly.

Posted by: antibozo | November 3, 2006 2:19 AM | Report abuse

Is the best we can do?! Hard-up for some news again, Brian?!

Gimme a break. Where's the big article on the IE7 flaws flooding out in the news since it's forced release this week.

Yeah, no agenda here...get back to REAL security issues, please? I have a network to run and flaws in ancient wireless cards are nice, but unlike IE7, Apple will have patches sooner than most people will even bother to read this wasted posting.

NO ONE can debate that. Actions speak louder than words on both sides of this RIDICULOUS debate.

Back to real work, kids.

Posted by: Wonk | November 3, 2006 7:35 AM | Report abuse

If there were a 20:1 outnumbering of Macs to Pcs there would be a lot of unpatched Macs out there as well. With more uses (i.e. market share), there is a higher probability that there will be unpatched machines. It's a numbers game and it doesn't show ignorance of the issues. They knew exactly what they were saying. And by the way, who cares if it is 6.1% or 5%. That has nothing to do with the issue. 6.1% is still a minuscule number of machines sold compared to windows. I'm no windows lover, I hate them, but get real.

Posted by: Anonymous | November 3, 2006 9:23 AM | Report abuse

The bottom line here is that Apple is not a target due to the small amount of Apples out there. It is quite rare to hear about vulnerabilities on a Mac simply because the existing hacker community is not working on Mac hacks. I have to say that it's nice to see that any computer, PC or Mac, can have security issues.

Posted by: Tweek | November 7, 2006 11:08 PM | Report abuse

Domestic Powerleveling service supplies the lower price for gold sale and collects the MF,OF gold. We will create the first WOW territory and make the furthest WOW career for you on our website.

Posted by: FFXI | November 27, 2006 10:47 PM | Report abuse

The MF and OF monthly card are sold with low price!!The FFXI CDKey is in wholesale by low price!!

Posted by: FFXI | December 4, 2006 4:56 AM | Report abuse

Thank you!
[url=]My homepage[/url] | [url=]Cool site[/url]

Posted by: Naomi | December 8, 2006 9:22 PM | Report abuse

Great work!
My homepage | Please visit

Posted by: Gary | December 8, 2006 9:22 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company