Exploit Targets Widely Deployed Wireless Flaw
A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.
According to the the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card's background scan for available wireless networks that apparently triggers the flaw.
Security researcher Johnny "Cache" Ellch said he reported the bug to Broadcom last month, and that the exploit code he released today is tailored to work on a very specific version of the Broadcom driver (Version 18.104.22.168). Still, he said, it appears that every version except a brand new one currently being distributed is vulnerable.
"The exploit only needs to be modified slightly for other versions," Ellch wrote in an online chat conversation with Security Fix.
The Broadcom flaw also highlights a serious set of problems with fixing security vulnerabilities in device-driver software. For starters, who is responsible for shipping a patch? Many different companies use Broadcom chips and rebrand the hardware and drivers as their own. Linksys appears to be the only vendor that has a downloadable update for some of its affected devices. In addition, it's not clear what sorts of mechanisms the PC makers have in place to push updates (should they become available) out to customers.
Apparently, these are questions that a number of security experts are also asking now. In an alert jointly posted today by the Zeroday Emergency Response Team (ZERT is the group that made headlines earlier this year for releasing an unofficial patch to fix a dangerous Windows flaws), the Metasploit Project, the SANS Internet Storm Center and SecuriTeam, the groups explained why writing a one-sized-fits-all patch would not work in this instance.
"Though most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it," the groups wrote in their alert. "Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical."
Paul Vixie, a ZERT volunteer, said Microsoft's Windows Update and Automatic Update patch deployment network could play a huge role in pushing fixes out to affected machines, but he said that process would likely be complicated and take some time.
"Any way they try to address this is going to be a mess, and moving the fix to the user is going to be a lot like moving water with a fork," Vixie said. "This is dangerous because we know that people who like to do bad things are going to take advantage of this, that's no longer an open question."
There is evidence to suggest the Linksys patch may plug the security hole in certain operating systems, but it's not altogether straightforward and we may not be at the stage where it would be responsible to explain how to do that. I suspect that a number of PC makers will come forward with updates to fix this problem in the coming days and weeks, and Security Fix will point to those as they are made available.
In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it.
The comments to this entry are closed.