AirPort Updates Stop Wi-Fi Exploit
Apple last week released a pair of updates, Security Update 2006-005 and AirPort Update 2006-001, which resolve a trio of related potential exploits in which a local attacker could inject a maliciously crafted frame into a wireless network. In theory, such an attack could cause system crashes, execute arbitrary code, or elevate privileges, though Apple took pains to note that there are no known instances of these exploits. Although you can download the individual updates from the Apple Downloads page (only one is necessary), you must pick the correct one for your machine.
Since AirPort Update 2006-001 covers only two specific builds of Mac OS X 10.4.7 – whereas Security Update 2006-005 handles Mac OS X 10.3.9 and other specific builds of Mac OS X 10.4.7 (with different downloads for 10.3.9 and for PowerPC- and Intel-based Macs running 10.4.7) – we encourage you to let Software Update download the correct version for your system. If you’re running Mac OS X 10.3.9 and Software Update doesn’t show Security Update 2006-005, you must first install AirPort 4.2 and AirPort Extreme Driver Update 2005-001 (I suspect Software Update will provide them as well).
Although Apple’s release notes are terse as usual, these updates undoubtedly come in response to the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch at the Black Hat 2006 conference. Apple did not credit Maynor nor Ellch for these fixes, however, which is an implicit statement that Apple refuses to acknowledge that the two researchers contributed to uncovering the flaws. An Apple spokesperson denied that SecureWorks, the firm for which Maynor works, provided information that led to these patches. Rather, the spokesperson told several media outlets and TidBITS that news of the SecureWorks demonstration prompted Apple to conduct an in-depth code audit that led to identifying these vulnerabilities. (See “Wireless Driver Hack Could Target Macs and Windows,” 07-Aug-06 and “Apple Issues Careful Wi-Fi Exploit Denial,” 28-Aug-06.) SecureWorks has not responded to any media outlet with additional clarification at press time; the company is also in the middle of a merger, which could be why they’re not commenting. What’s most important is that Mac users who apply the patches are no longer vulnerable to these particular exploits.