Apple last week released AirPort Extreme Update 2007-001, fixing a problem on Core Duo-based Mac minis, MacBooks, and MacBook Pros that could cause crashes or worse. The fix is related to a number of other repairs to low-level wireless hardware drivers that Apple made last year in response to a proof-of-concept exploit that could – theoretically – have enabled a nearby attacker to hijack a Mac via its wireless connection (see the series “To the Maynor Born: Cache and Crash“).
If Software Update offers you the AirPort Extreme Update 2007-001, you should install it for safety’s sake, and because it may fix some other bugs, but the likelihood of the security hole being exploited is nil. If you see any new problems after updating (we’ve heard a few anecdotal reports), check out MacFixIt’s wireless troubleshooting tutorial. The update is a 7.4 MB download available via Software Update or as a standalone download.
Apple also released Security Update 2007-001, which resolves a possible exploit related to how QuickTime 7.1.3 handles RTSP URLs. The bug was identified by Kevin Finisterre and the pseudonymous “LMH” of the Month of Apple Bugs project. It’s a 5.9 MB download available via Software Update or as separate downloads for Mac OS X 10.4 Tiger and Mac OS X 10.3.9 Panther.
Meanwhile, the Month of Apple Bugs project has found another bug that has captured the interest of people in the security community whose opinions I value. It turns out that Mac OS X’s Software Update, when fed a file with a sufficiently malformed name, can be caused to crash or – in theory – to execute that bugaboo of the security crowd, “arbitrary code.” (In other words, Software Update could be caused to run code that could replicate itself, delete data, or have other harmful effects. I say “in theory” because there’s no known way yet to make that happen, but it’s possible.)
Although the demonstration of the bug on the Month of Apple Bugs page doesn’t work in my testing, a source showed me a variant that did demonstrate that Software Update improperly handles malformed file names. If a bad guy could figure out how to embed dangerous code in a malformed file name, that file could be fed to Software Update via a link you clicked in a Web browser or through an email attachment you opened. Turning off Software Update won’t make any difference, and in fact, there’s nothing users can do to eliminate the risk of being exploited. Luckily, that risk is very low.
Apple should fix the bug, as it did with the QuickTime bug, and Mac users should continue to be careful about clicking links on dodgy Web sites, avoid opening email attachments from unknown senders, and install security updates when released by Apple. As is usually the case, the revelation of this bug changes nothing for the Macintosh community; basic safe computing provides all the security necessary to render this potential exploit moot.