Apple Ships Patch for MacBook Wi-Fi Hack

Apple Computer has shipped a critical AirPort update to correct a trio of security flaws that put Wi-Fi-enabled Mac systems at risk of code execution attacks.

The patch comes almost two months after the public disclosure of the threat at the Black Hat Briefings and brings an end to a raging controversy over claims by two security researchers that Apples MacBook was vulnerable to the flaw.

Apple originally denied that the bug affected its products, but the AirPort update released Sep. 21 represents an about-face by the Cupertino, Calif., company.

Interestingly, the Apple advisory on the AirPort update does not credit the two researchers—David Maynor and Jon “Johnny Cache” Ellch—or SecureWorks, the Atlanta-based company that claimed ownership of the vulnerability details.

According to Apples alert, two separate stack buffer overflows exist in the AirPort wireless drivers handling of malformed frames.

“An attacker in local proximity may be able to trigger an overflow by injecting a maliciously crafted frame into a wireless network. … When the AirPort card is on, this could lead to arbitrary code execution with system privileges,” the company warned.

The flaw, rated by third-party researchers as “highly critical,” affects Power Mac, PowerBook, iMac, Mac Pro, Xserve and PowerPC-based Mac Mini computers equipped with wireless.

/zimages/4/28571.gifClick hereto read more about Apples recent Mac security challenges.

Intel-based Mac Mini, MacBook and MacBook Pro computers are not affected by these bugs. However, Wi-Fi-enabled MacBook and MacBook Pro systems are vulnerable to a separate heap buffer overflow caused by the way the embedded wireless driver handles scan cache updates. “This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges,” Apple said.

A third issue affecting third-party wireless software used by Mac systems is also addressed to correct a flaw that may cause crashes or arbitrary code execution.

Apple described it as an integer overflow that exists in the AirPort wireless drivers API for third-party wireless software. “This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time,” the company said.

If an application is affected, the advisory warns that an attacker in local proximity may be able to trigger an overflow, again by injecting a maliciously crafted frame into the wireless network.

The third-party driver bug affects Intel-based Mac Mini, MacBook and MacBook Pro computers equipped with wireless.

At the Black Hat conference in early August, Maynor and Ellch used a video presentation (here as a Windows media file) to show how a MacBook machine could be hijacked using the Wi-Fi driver bug. The demo used an unidentified third-party wireless card but, at the time, the pair insisted that Apples built-in driver was also susceptible to the bug.

Maynor and Ellch did not release details or exploit code for the flaw, which affects a wide range of Wi-Fi card manufacturers. The researchers have notified the affected companies and are working closely to identify the vulnerable code.

Ellch, a well-known security expert and creator of wireless hacking tools, made it clear that the issue is not specific to Apples Mac computers. “This isnt an Apple problem or a Microsoft problem. This is something thats problematic across the industry,” he said at the time.

Intel recently updated the software behind its Centrino chip bundle to fix three security vulnerabilities that, in one case, could allow an attacker to execute code remotely on a laptop.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.