Series: To the Maynor Born: Cache and Crash
A Wi-Fi exploit was discovered in summer 2006 that could allow a remote but nearby user to hijack a Mac OS X system via its AirPort connection - or could it? We explore this over several articles.
Article 1 of 7 in series
A potentially serious exploit of Mac OS X's wireless networking hardware drivers has had a very limited demonstration. The exploit, which apparently relies on a flaw at the lowest level of the drivers' interaction with Mac OS X's kernel, has not yet been independently confirmed, nor has Apple released a statement on the matterShow full article
A potentially serious exploit of Mac OS X's wireless networking hardware drivers has had a very limited demonstration. The exploit, which apparently relies on a flaw at the lowest level of the drivers' interaction with Mac OS X's kernel, has not yet been independently confirmed, nor has Apple released a statement on the matter. The flaw, if proven, could allow an attacker to gain root access privileges via Wi-Fi.
Researchers Jon Ellch and David Maynor found the flaw in Apple's Intel-based Macs running Mac OS X and in PCs running Windows XP using certain Wi-Fi adapters, and presented their findings at the Black Hat USA 2006 Briefings last week. They declined to show the exploit live to avoid giving out details that could be turned into a security threat in the wild.
The researchers maintain that the flaw can affect any Wi-Fi equipped computer as noted above, regardless of whether the computer is actively connected or connecting to a network, and the exploit does not involve a rogue access point - one that attempts to fake an identity to get a connection from a client.
The videotape that the researchers showed didn't demonstrate that. The researchers connected what appears to be a covered-up USB device to a MacBook, which is then connected to a network running on a Linux computer. They then show files being manipulated on the desktop but no other attack being carried out.
There is lively discussion at the Washington Post's Security Fix blog about whether this is just a rigged demo or a real event, although beware the personal abuse directed at the blog's writer, Brian Krebs. (Many are taking this attack against a MacBook personally. Surprise, surprise.)
According to two experts TidBITS has heard from, the videotape is inconclusive and could be either a staged stunt or a real exploit. Jim Thompson, a veteran Wi-Fi engineer and security expert, is dubious, and he explains why in great technical detail. Security expert Rich Mogull, research vice president at Gartner, said that the exploit is credible and that it's possible that similar exploits on multiple platforms developed independently are already in the wild. Mogull has seen reports that a similar exploit may have been used at a recent conference that he declined to identify for security reasons. The researchers who presented at Black Hat are taking significant precautions to prevent their particular research from getting out of their grasp, he said.
Lending credence to this potential flaw was the release by Intel in July of driver updates for three of their Centrino wireless products. Notes for the release label the patch for their oldest adapter (an 802.11b-only model) as having an exploit that could allow a "malformed frame," a packet-like chunk, to allow a hacker to gain control of a machine. Two newer adapters seem to have a severe, but less frightening flaw. Mogull said that these Intel patches show that this kind of exploit is not an unknown issue.
As noted, there is no confirmation of this exploit from anyone who has seen the actual attack carried out in person, no separate validation of the attack from third parties using different equipment and the same approach, and no public response from Apple, Intel, or Microsoft, despite the firmware patches from Intel. There is also no identified attack of this sort in the wild.
At the moment, our suggestion is not to worry. The likelihood of this flaw being exposed, becoming widespread, and threatening your particular machine over the period of time it might take Apple to issue a patch is extremely remote. The exploit also appears to be limited to Intel-based computers at the moment, making it even less of a concern for many Mac users.
We'll update this story as details become available, but if Apple releases a security update that describes a fix for a malformed frame and you travel around with your MacBook or MacBook Pro, you should consider installing it as soon as is practical.
Article 2 of 7 in series
Apple public relations director Lynn Fox says that the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch two weeks ago in a video shown at the Black Hat 2006 conference does not represent a flaw in Apple's software or device firmware (see "Wireless Driver Hack Could Target Macs and Windows", 07-Aug-06)Show full article
Apple public relations director Lynn Fox says that the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch two weeks ago in a video shown at the Black Hat 2006 conference does not represent a flaw in Apple's software or device firmware (see "Wireless Driver Hack Could Target Macs and Windows", 07-Aug-06). Apple told Macworld and many other media outlets that the demonstrated exploit uses a third-party wireless driver for a Wi-Fi USB adapter. Neither the driver nor the chips are the same as those used by Apple in Mac OS X on a MacBook.
Further, Fox said that Apple has received neither code nor a demonstration that shows a flaw in shipping hardware and software. The researchers have changed the message on the page at SecureWorks, the consulting site at which they provide services, to clarify that Apple code wasn't involved in their demonstration. Chipmaker Atheros also issued a statement - to Brian Krebs at Security Fix - that their products apparently aren't at risk, either, based on what they knew at the time that they issued that statement.
The two researchers who presented the hack say that a flaw in the way in which wireless drivers from several manufacturers hand off data to the operating system can allow exploits in which a machine can be compromised to execute arbitrary code. That arbitrary code could then allow an affected system to grant root, or system ownership, access to the computer. In July, Intel released a patch for their Centrino Wi-Fi adapters found in laptops from many manufacturers that fixes such a problem, although Maynor and Ellch said that this fix wasn't a result of their work.
With that level of access, a cracker could install "bot" software that's used to turn affected computers into remotely activated warriors in the spam or denial-of-service wars. Bots are now considered the biggest single problem on the Internet because millions of computers can be activated, like sleeper cells, whenever an attack is desired.
A small firestorm of responses have appeared since Apple's denial, hinging on two factors: some writers and bloggers have been presented with information by Maynor and Ellch that is not yet in the public sphere of knowledge, and Apple's denial of the exploit is extremely carefully crafted.
My take at the moment is that it's highly possible that Maynor and Ellch have found a security flaw in the built-in MacBook and MacBook Pro Wi-Fi drivers that, at the point that Apple made their statement about not seeing any "evidence" of an exploit, they had not yet presented to Apple. In this scenario, Maynor and Ellch accidentally provided details to Brian Krebs before they meant to, and are remaining mum until Apple responds. We'll see.
You can read many takes on this subject: George Ou at ZDNet (who has received private information), John Gruber at Daring Fireball (who has not), security expert Rich Mogull's personal blog (he has been disclosed), Wi-Fi expert Jim Thompson (who tears the exploit apart limb by limb, fingernail by fingernail) and John Moltz at Crazy Apple Rumors Site (who makes stuff up).
Article 3 of 7 in series
Apple last week released a pair of updates, Security Update 2006-005 and AirPort Update 2006-001, which resolve a trio of related potential exploits in which a local attacker could inject a maliciously crafted frame into a wireless networkShow full article
Apple last week released a pair of updates, Security Update 2006-005 and AirPort Update 2006-001, which resolve a trio of related potential exploits in which a local attacker could inject a maliciously crafted frame into a wireless network. In theory, such an attack could cause system crashes, execute arbitrary code, or elevate privileges, though Apple took pains to note that there are no known instances of these exploits. Although you can download the individual updates from the Apple Downloads page (only one is necessary), you must pick the correct one for your machine.
Since AirPort Update 2006-001 covers only two specific builds of Mac OS X 10.4.7 - whereas Security Update 2006-005 handles Mac OS X 10.3.9 and other specific builds of Mac OS X 10.4.7 (with different downloads for 10.3.9 and for PowerPC- and Intel-based Macs running 10.4.7) - we encourage you to let Software Update download the correct version for your system. If you're running Mac OS X 10.3.9 and Software Update doesn't show Security Update 2006-005, you must first install AirPort 4.2 and AirPort Extreme Driver Update 2005-001 (I suspect Software Update will provide them as well).
Although Apple's release notes are terse as usual, these updates undoubtedly come in response to the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch at the Black Hat 2006 conference. Apple did not credit Maynor nor Ellch for these fixes, however, which is an implicit statement that Apple refuses to acknowledge that the two researchers contributed to uncovering the flaws. An Apple spokesperson denied that SecureWorks, the firm for which Maynor works, provided information that led to these patches. Rather, the spokesperson told several media outlets and TidBITS that news of the SecureWorks demonstration prompted Apple to conduct an in-depth code audit that led to identifying these vulnerabilities. (See "Wireless Driver Hack Could Target Macs and Windows," 07-Aug-06 and "Apple Issues Careful Wi-Fi Exploit Denial," 28-Aug-06.) SecureWorks has not responded to any media outlet with additional clarification at press time; the company is also in the middle of a merger, which could be why they're not commenting. What's most important is that Mac users who apply the patches are no longer vulnerable to these particular exploits.
Article 4 of 7 in series
Mac OS X may be at risk via the original AirPort Card because of an attack methodology published last week as part of the Month of Kernel Bugs. The attack can corrupt some "internal kernel structures," and causes a kernel panic - a crashShow full article
Mac OS X may be at risk via the original AirPort Card because of an attack methodology published last week as part of the Month of Kernel Bugs. The attack can corrupt some "internal kernel structures," and causes a kernel panic - a crash. The developer of the attack believes that he may be able to modify this with some effort into a root exploit in which control of the machine could be seized.
The approach as published works only with the AirPort Card, the internal 802.11b Wi-Fi adapter for Macs introduced in 1999, and used in all Mac models introduced until late 2002. Apple stopped selling the AirPort Card some time ago - much to the dismay of people whose adapter died on an otherwise usable computer. All Mac models introduced in 2003 and later sport a slot for AirPort Extreme (802.11g) networking; the AirPort Extreme Card slot is not compatible with the original AirPort Card.
Further, the developer of the attack notes that the exploit works best when a Mac has been placed into active scanning mode, which requires a command-line tool included with Mac OS X or the KisMAC utility. In a brief interview with Brian Krebs of The Washington Post's Security Fix blog, the exploit developer told Krebs that he found some vectors for breaking Macs with AirPort Cards that were in an idle, non-associated state, but hasn't produced results he wanted to discuss yet.
The exploit was published as a recipe for reproduction, more or less, so it's not embedded in a prefabricated application designed simply to crash computers, but it will be incorporated into the open-source Metasploit framework, which is a system to stress-test software and operating systems in an automated fashion using malformed packages of data and other techniques. (At this writing, the developers say it's part of Metasploit, but I don't see an item representing it in the list of modules.)
The Month of Kernel Bugs (MoKB) uses a small set of standard tools that stress test operating system kernels by generating massive amounts of arbitrary input - fuzzing - which can be associated with resulting errors on the attacked computer to figure out what input caused which exploitable errors or crashes. The project says they have five more Apple kernel bugs that will appear over the next 30 days. (No additional Apple bugs have appeared as of this writing.)
In a fairly irresponsible move, the MoKB coordinator said there will be no advance notice to the makers of affected systems in any systematic way prior to release of the exploit. Exploits that are released on the day the vulnerability is identified are called "zero-day exploits." In the security world, this is considered bad form, somewhere between taking a dump in a swimming pool and selling drugs to children. There's little reason to not provide advance information to affected parties unless you're trying to be clever, instead of smart.
The justification by the MoKB coordinator, identified only as LMH, is the tired old "Apple doesn't listen to security flaws and pretends it doesn't have any" argument. The industry soap opera that began in August, "To the Maynor Born: Cache and Crash," apparently has led many hobbyist and professional security researchers to decide that Apple systematically denies security flaws when they exist. In the case of that saga, it's fairly clear that only a handful of people have actually seen what was alleged to have been given to Apple, which means that relying on that case as an example of Apple ignoring security issues or misusing security researchers requires second- or even third-hand knowledge. (Apple told Krebs that they are investigating this latest AirPort flaw, which they learned about "recently.")
In comments to a post about this on LMH's Kernel Fun blog, he or she writes, "It's actually a matter of time to demonstrate that all the pro-Mac paranoia is just plain useless. Apple does good stuff indeed, but they obviously do [make] mistakes as everyone does." It's hilarious that anybody credible thinks that vocal Mac zealots represent the interests of the entire Mac community. A more realistic view by an experienced Mac user can be found as the second comment (by Dave Schroeder) on Ryan Russell's blog entry on this exploit.
May I state for the record as a regular reporter on Macintosh matters that I don't reflexively believe that Mac OS X is invulnerable? In fact, I have written regularly about flaws that are reported, and about the risk that we face as a community of users that lack immunity. While Apple has built its operating system on a strong foundation, that in no way precludes exploits that use vectors that weren't considered.
Your high-level takeaway? No Mac model that shipped beginning in 2003 nor older Macs without active scanning enabled are known to be vulnerable. The vulnerability requires a nearby user, too, or one with a high-gain antenna who can reach your computer. I'm guessing Apple patches this relatively quickly for Mac OS X 10.3 and 10.4 users, and that they'll be working overtime to stay on top of other MoKB announcements.
Article 5 of 7 in series
Apple last week released AirPort Extreme Update 2007-001, fixing a problem on Core Duo-based Mac minis, MacBooks, and MacBook Pros that could cause crashes or worseShow full article
Apple last week released AirPort Extreme Update 2007-001, fixing a problem on Core Duo-based Mac minis, MacBooks, and MacBook Pros that could cause crashes or worse. The fix is related to a number of other repairs to low-level wireless hardware drivers that Apple made last year in response to a proof-of-concept exploit that could - theoretically - have enabled a nearby attacker to hijack a Mac via its wireless connection (see the series "To the Maynor Born: Cache and Crash").
If Software Update offers you the AirPort Extreme Update 2007-001, you should install it for safety's sake, and because it may fix some other bugs, but the likelihood of the security hole being exploited is nil. If you see any new problems after updating (we've heard a few anecdotal reports), check out MacFixIt's wireless troubleshooting tutorial. The update is a 7.4 MB download available via Software Update or as a standalone download.
Apple also released Security Update 2007-001, which resolves a possible exploit related to how QuickTime 7.1.3 handles RTSP URLs. The bug was identified by Kevin Finisterre and the pseudonymous "LMH" of the Month of Apple Bugs project. It's a 5.9 MB download available via Software Update or as separate downloads for Mac OS X 10.4 Tiger and Mac OS X 10.3.9 Panther.
Meanwhile, the Month of Apple Bugs project has found another bug that has captured the interest of people in the security community whose opinions I value. It turns out that Mac OS X's Software Update, when fed a file with a sufficiently malformed name, can be caused to crash or - in theory - to execute that bugaboo of the security crowd, "arbitrary code." (In other words, Software Update could be caused to run code that could replicate itself, delete data, or have other harmful effects. I say "in theory" because there's no known way yet to make that happen, but it's possible.)
Although the demonstration of the bug on the Month of Apple Bugs page doesn't work in my testing, a source showed me a variant that did demonstrate that Software Update improperly handles malformed file names. If a bad guy could figure out how to embed dangerous code in a malformed file name, that file could be fed to Software Update via a link you clicked in a Web browser or through an email attachment you opened. Turning off Software Update won't make any difference, and in fact, there's nothing users can do to eliminate the risk of being exploited. Luckily, that risk is very low.
Apple should fix the bug, as it did with the QuickTime bug, and Mac users should continue to be careful about clicking links on dodgy Web sites, avoid opening email attachments from unknown senders, and install security updates when released by Apple. As is usually the case, the revelation of this bug changes nothing for the Macintosh community; basic safe computing provides all the security necessary to render this potential exploit moot.
Article 6 of 7 in series
Two hackers wanted to show the world that Apple's much-vaunted operating system wasn't as secure as it was cracked up to be. The Month of Apple Bugs (MoAB) ran from 01-Jan-07 to 31-Jan-07, with the final day promising a future serious bugShow full article
Two hackers wanted to show the world that Apple's much-vaunted operating system wasn't as secure as it was cracked up to be. The Month of Apple Bugs (MoAB) ran from 01-Jan-07 to 31-Jan-07, with the final day promising a future serious bug. Instead, they may have turned the Mac smugness dial up a notch.
MoAB backers "lmh" (who does not reveal his or her real name) and Kevin Finisterre appeared to want to tweak Mac users, who often revel in the so-far absence of attacks on Mac OS X that are plausible, persistent (not quickly patched), and spreadable. In particular, the pair appear to take issue with the zealots and "fanboys" who, when presented with credible information that shows Apple or Mac OS X in a bad light, reject it out of hand. But lmh and Finisterre also seemed to have a chip on their shoulders before, during, and after MoAB.
The coincidence of the abbreviation MoAB and the biblical figure of the same name led me to Jeremiah 48:29-30: "We have heard of the pride of Moab, pride beyond bounds: His loftiness, his pride, his scorn, his insolence of heart. I know, says the Lord, his arrogance; liar in boast, liar in deed." (More famously, the poetry of Psalms disses the people of Moab by stating, "Moab is my washpot," Psalm 108:9, indicating a thing of low esteem, fit only for holding water that has cleaned one's feet - it's also the title of Stephen Fry's excellent autobiography.)
Now that seems a little harsh. The original Moab was a problem, no doubt, but this MoAB wanted to shake the Apple tree a bit, perhaps with too high an aim. I suspect the developers had a set of exploits up their sleeves, but hoped that other folks would come forward with goodies they'd been saving up, and no such luck emerged.
The zealots and fanboys that lmh and Finisterre railed against aren't strawmen. They exist. In fact, we at TidBITS occasionally get email from them, too. But it's clear that the vast majority of Mac users have better things to do than violently defend the platform and company against legitimate criticism. If anything, the average Mac user may have perhaps too great a belief that Mac OS X is completely secure, especially in contrast with Windows XP.
However, it seems that MoAB may have unintentionally given more ammunition to the extremists in the Mac faith, while making the larger community even more blase. None of the bugs released had any real potential of a vector - spreading from computer to computer as a worm through an Internet- or LAN-exploitable flaw - and as far as I have seen, no in-the-wild exploit was released for any of the bugs, despite the fact that MoAB refused to notify Apple or third-party developers before releasing the bug details to the public.
As of last week, Apple and the other developers who had exploits posted against their products had updated all but one matter. Timothy Luoma posted a rundown of his disappointment with the outcome of MoAB. The Macalope weighs in with his own, slightly surprised discomfiture at not seeing more serious attacks released. (The remaining Apple flaw relates to Software Update, which could be exploited by a local user or a malicious Web site visited via Safari with default download options checked.)
In fact, MoAB revealed one of the best aspects of the larger Mac developer community: generosity. Landon Fuller took it on himself to release patches to the vulnerabilities revealed at MoAB and ultimately received help from many others. While he couldn't fix every problem completely, nor do so on the same day the exploit was released, he and his colleagues had a remarkable track record.
MoAB received the most criticism about its disclosure policy - the authors said that typically no notice was given to Apple or affected companies before they posted the details of their exploit. They wrote, "'Responsible disclosure' exists when the vendor doesn't deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don't trust Apple on these matters due to the track [sic] of incidents and unpleasant situations surrounding their policy on product vulnerability handling."
(Oddly, they offered to give only Fuller a heads-up each day in advance of the public; he declined, in a transcript the MoAB backers posted, to avoid the "appearance of collusion," since he enjoyed demonstrating that exploits could be fixed without any insider or advance knowledge about them.)
Apple has, at times, been criticized for its lackluster response to serious exploit reports, or its long delays in responding to known problems. But I haven't heard that criticism lately, with one exception. The MoAB project is clearly referring to how Apple allegedly treated David Maynor and Jon Ellch, two researchers who seem to have gotten stuck in a trap partly of their own devising. (We covered this in a series of articles we dubbed "To the Maynor Born: Cache and Crash" from August 2006 to January 2007.)
The short story is that Maynor and Ellch appeared to have said that they had a successful root exploit for Mac OS X, relying on a flaw in Wi-Fi handling that required a proximate user to launch the attack. Maynor and Ellch were apparently never allowed to release their proof directly, and Apple patched flaws similar to those described, but which Apple claimed were not based on any specific information provided by the two. In the security note accompanying the Wi-Fi fixes, Maynor and Ellch weren't acknowledged.
It's unclear whether the facts will ever be untangled in that case, and it appears that few people outside of Maynor, his employer, Apple, and Ellch have all the facts to make a judgment. Thus it's always frustrating to me to see unrelated parties make the assumption that Apple "deploy[ed] harmful tactics" when what happened is rather ambiguous.
In contrast to the Maynor/Ellch situation, even with no disclosure, Apple apparently decided lmh and Finisterre played by the rules, and MoAB and the two were credited in the several bugs that Apple has patched (see related story, "Security Update 2007-002 Squashes MoAB Bugs").
What did the "pride of MoAB" lead to? Not much. I, for one, am fully aware that the possibility of a true, widespread, system remote exploit of Mac OS X remains. And almost all MoAB's exploits required either (or both) an attacker with local access or a computer owner who engaged in unusual behavior, such as downloading and opening an unknown file.
It's a testament to the Mac community as a whole that MoAB's irresponsible disclosure, coupled with childish taunts and tactics, was met with quick, civil responses by Apple and the other Macintosh developers. Generosity and cooperation will provide far more overall security than a bunch of ill-mannered hackers.
Article 7 of 7 in series
The Wi-Fi exploit heard round the world a year ago August is now explicated in an extremely technical paper. But still no simple, verifiable, third-party proof, despite what are ostensibly the researcher's best intentions.Show full article
Security researcher David Maynor has published a long, technically detailed report in the online publication Uninformed, in which he describes how he accidentally came across and then learned to exploit a weakness in the Mac OS X 10.4.6 Wi-Fi drivers on an Intel-based MacBook in mid-2006.
Maynor and his colleague Jon "Johnny Cache" Ellch caused a furor in August 2006 when they appeared to reveal the weakness as a zero-day exploit - an exploit in which the details are known before a company is informed or a product patched - just before a presentation at the Black Hat security conference. You can read the history of the whole affair in "To the Maynor Born: Cache and Crash."
Maynor alleges in passing here, and in public and private elsewhere, that his then-employer SecureWorks along with Apple's press relations department prevented clarification of his and Ellch's initial statements to the Washington Post's Brian Krebs. This seems now, in part, due to the fact that they told Krebs more than they meant to, and then attempted to backpedal. This has never been fully clarified. From August 2006 to February 2007, statements of all sorts were made, recanted, decanted, partially explained, and fully obfuscated.
The report released by Maynor, described as the first of three, details the process by which he delved into Mac OS X's innards to find precisely how to trigger the flaw and then deliver a payload, but it doesn't describe or include code that would allow the replication of a remote exploit. That is apparently to come. (An interesting sidenote: Maynor found the flaw when his MacBook suffered a kernel panic while he was probing Wi-Fi adapters on non-Apple computers, an odd occurrence that caused him to investigate further.)
The steps are too technically involved for me to follow, and I hope that some other security researcher will install Mac OS X 10.4.6 on a clean MacBook or other vulnerable system, and attempt to replicate Maynor's process. Maynor and Ellch have never provided publicly verifiable proof to an independent third party of this exploit, but there is also little reason to believe that they did not have such an exploit in hand. (Maynor provided demonstrations to some number of other individuals, but none of those people was allowed to or chose to describe what they saw in public.)
Maynor remains bogged down in proving that Apple PR misled the public and hung him out to dry. I've been unable to uncover any evidence of this, which isn't proof that it doesn't exist. By avoiding any public and verifiable proof of their exploit, Maynor and Ellch have relied on trust, which isn't part of the usual methodology involved in security research.
Apple patched a number of wireless defects in September 2006, and this exploit apparently disappeared with it. Apple declined to credit Maynor and Ellch, stating that an internal security audit discovered the flaws. Email that Maynor displayed during a February 2007 presentation seemed to show that he had sent some information to Apple, which was acknowledged, but he was unable to show email messages that he alleges had the full proof of duplicity because his former employer wouldn't allow him to (or, at least, he believed he didn't have the right to show them).
John Gruber sums up this year-later disclosure quite admirably at Daring Fireball, as always: "A serious claim must be backed by proof of some sort. Maynor and Ellch's claims last year were made with no proof other than a suspicious demonstration on video. That's the root of every dispute and problem that followed." (John also notes Maynor's proud display of semi-automatic weapons in a photo on his current firm's blog.)
I have watched Apple's behavior closely since August 2006 to see how they would handle additional disclosures of severe flaws in Mac OS X that weren't brought to the company before being announced to the general public (with or without the enabling details to exploit the flaw). In every case I'm aware of, Apple credited the source and generally quickly released patches, even with the Month of Apple Bugs that I wrote about in "MoAB is My Washpot" (2007-02-19).
One could argue that Apple has changed their tune, or, conversely, that they have been singing the same song all along. Without the details, I like to accept the melody, not the counterpoint, because my own experience with Apple, even when I vehemently disagree with their policies, design, or product choices, hasn't led me to a circumstance in which I felt I was being lied to or misled, or where I later discovered a contradiction. In contrast, when I have reported problems with AirPort software, they have taken it seriously, and even made improvements (not based on my critique alone) in later products and firmware updates.
Maynor started his own consulting firm with partner Robert Graham several months ago called Errata Security. He and Graham have released several interesting programs which - through the revelation of poor security models in common systems and at popular Web sites - could improve overall individual privacy on the Internet. See "Sidejack Attack Jimmies Open Gmail, Other Services" (2007-08-27), for one example.
Others have accused Maynor and Ellch of various behaviors, including flat-out fabrication. I haven't thought for months that either of them was anything but genuine. Which is why it makes it increasingly frustrating that they simply couldn't prove with a real demonstration that what they have asserted is true, is true.