Apple patched a security flaw in the drivers for the company’s original AirPort card last week. Among other fixes, Security Update 2006-007 for Mac OS X 10.3.9 and 10.4.8 corrects a flaw that could enable a nearby attacker to cause a kernel panic and crash a Mac in the right set of circumstances. Apple warned that this attack could potentially deliver a software payload that would run without interference on the attacked computer – a state known as arbitrary code execution. We wrote about this exploit last month (“Another Minor AirPort Vulnerability Exposed,” 2006-11-06), at which point the exploit’s discoverer only suggested that a payload was possible. A host of other flaws were also patched.
Six unique updaters are available: one each for 10.3.9 client and server, 10.4.8 PowerPC client and server, and 10.4.8 Intel client and server. Software Update identifies the correct one for your Mac.
The AirPort flaw was triggered if an AirPort card, signaling it was interested in knowing what networks were available in the vicinity, received a carefully crafted response that mimicked how access points announce their name and other details. The patch validates those responses to avoid triggering an error. Keep in mind that the vulnerability affects only the original AirPort card, which was included with Macs released from 1999 to 2002, and was sold as late as 2004 for those Macs. AirPort Extreme cards, which work with models introduced starting in January 2003, have drivers that aren’t affected by this particular flaw. (The few users of Mac OS X 10.2 and earlier have been ignored for AirPort card updates for at least a couple of years now.)
Security Update 2006-007 mostly patches flaws that are triggered by local users with physical access to the computer, although a few weaknesses could be exploited by remote users. For instance, a flaw in the FTP server built into Mac OS X could enable a remote user to figure out which users have valid accounts on the attacked computer. And an error in how Samba (Windows file sharing) handles incoming requests could have enabled an attacker to break access to the service.
One significant flaw, now patched, could have crashed or exploited Mac OS X when Safari visited a Web site that had a maliciously crafted Web page. The flaw was in WebKit, the underlying system-wide software used for HTML rendering and handling that’s used in Safari and many third-party applications. The fix now parses documents correctly. Oddly, the description of this problem is identical to that used in Security Update 2006-004 released on 01-Aug-06.