Fire in the (AirPort) Hole
Rejoice, rejoice! You can turn your WiFi on again! The danger is past.
At least, for the moment.
On September 21, Apple released two security patches that protect essentially every Mac that uses AirPort against malformed frames passed over 802.11b networks. That’s the vulnerability I wrote about last month, which may or may not have been a real threat to Mac users.
“So,” you say. “The problem’s been fixed, Wes. You usually put stuff like that in those inane little bullet-point links at the end of your column.”
I’m guilty as charged, readers. But this one was no ordinary security patch. Just as Apple was launching a brand-new ad campaign lauding the comparative security of its computers relative to its competitor product—Microsoft Windows—two security researchers claimed that a massive vulnerability in the AirPort drivers for OS X could lead to a root exploit—without the user even registering on a network. Rather than recap extensively here, I will point you again to my previous column, because I tried hard to be comprehensive. Better still is John Gruber’s summary.
What’s interesting is the fallout from all of this: did Apple patch this vulnerability—which sounds a lot like the one Jon Ellch and David Maynor described in August—in response to the demonstration, and did the demonstration show a vulnerability or was it staged?
First things first, I should note that Apple is claiming, unequivocally, that they found this vulnerability in-house. That jibes with what Glenn Fleishman and Jim Thompson, et al., said about the potential route of attack that this could have taken—in other words, as I read it, it’s possible that this demonstration was staged but happened to correspond closely enough with a possible exploit that Apple discovered and patched. Apple spokesman Anuj Nayar told Brian Krebs, the (rightly or wrongly) maligned Washington Post security columnist, just that:
[T]he company is not aware of any exploit code available to attack these flaws, and… SecureWorks to this day has not shared a working demonstration of how to exploit them.
“Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affec tthe (sic) wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws.”
But Ellch is on the attack, denying this. Just as this magazine was set to go to press, he gave Cory Doctorow the right to publish a transcript of his talk at ToorCon 2006 on Doctorow’s personal Web site. (But he linked to it on Boing Boing, so it will get a fair number of eyeballs.) In this talk, he claims that Apple and SecureWorks kept his research partner from giving the original scheduled lecture detailing the previously demonstrated AirPort vulnerability. Doctorow states, unequivocally, that pressure from SecureWorks got the talk canceled, and implies that Apple was involved. On the other hand he notes in passing that “one colleague at the show…spoke to an Apple employee in the audience who denied that Apple had leaned on SecureWorks.” (So far, no word from Maynor.)
Ellch also released, on a security-oriented listserv, some details of a similar exploit using Intel’s Centrino on-board drivers. I understand very little of it, to be completely honest, but it sounds like it relies on a variant of a packet DDoS attack. If you flood the victim machine with UDP packets at one per 4,000 microseconds and then send dissociation requests at one per 5,000 microseconds, you may be able to get your malformed UDP packet in the driver stack.
That sounds an awful lot like the vulnerability that Apple patched. Whether Ellch and Maynor demonstrated such a vulnerability is what’s up for grabs.
In the interim, Gruber had previously offered a bounty to Maynor and Ellch if they could hijack a stock, just-out-of-the-box MacBook. The prize was that very MacBook. Rich Mogull at Securosis disputes that the bounty would be helpful, and even tells us to trust him that the demonstrated exploit is real. (Sorry, but your assurance of a video demonstration just ups the ante, amigo.)
Neither of the security researchers ever took him up on the offer, but I think, in light of this patch, it would be a valid experiment for someone to take up. Come now, someone must be able to show us whether unpatched MacBooks are vulnerable, in an uncontrolled environment.
Gruber is unconvinced by all of this. He’s been at the center of this hurricane since it first was spotted in the southeast Atlantic in August, and he lays all of his evidence out on the table. He believes, in light of this patch, that one of three possibilities is true:
Maynor and Ellch did not find an actual exploit against Apple’s built-in AirPort drivers, but bamboozled and lied to Brian Krebs (and let’s not forget George Ou) that they had.
Maynor and Ellch did find such an exploit, but never showed or proved it to Apple.
Maynor and Ellch both found such an exploit and showed it to Apple, and Apple continues to lie about what Maynor and Ellch showed them.
Things don’t look good for Maynor and Ellch, in spite of the assurances of Krebs and Mogull. In a note to the readers of MDJ and MWJ, publisher Matt Deatherage suggests strongly that the release of Apple’s patch combined with its public insistence that they found this vulnerability on their own does in what credibility Maynor and Ellch had. I’ll let Deatherage have the final word:
If Maynor and Ellch had demonstrated it or shown code to just one Mac expert who could have verified their claims, they’d rightly be lionized for their work. Instead, they took credit for “hacking a MacBook” at security shows and in the international press while refusing to provide even the barest proof that they’d actually accomplished what they said they had, or at least what they wanted you to believe they’d said. Now that bugs and fixes are in the real world, there’s no way of ever knowing if what they say they found matches those bugs or not—when they had the chance to prove it, they refused. It’s like saying after the fact that you knew the answer to Final Jeopardy—you have to say it before it’s revealed to get credit for knowing it.
(N.B.: Scroll down to find the relevant passage. On the other hand, I strongly suggest you read Deatherage’s update; apparently he just survived congestive heart failure. Welcome back, Matt.)
And Nothing Left to Burn
- Geek Patrol published a set of CPU benchmark graphs over the last six years of Apples. Of interest is the “Pro Laptop” graph, showing the original PowerBook G4 (500MHz) up through the MacBook Pro. I actually gasped out loud and used certain unprintable phrases when I pulled up the full-size graphic: from the last PowerBook G4 to the MacBook Pro,the benchmark scores roughly doubled. Expect further improvements if Apple ever gets Core 2 Duos—that’s right, four CPU cores—in the MacBook Pro. (Plus, you can plug in an off-the-shelf chip into your Mac Pro and it will work pretty well; AnandTech was able to get dual-core Xeons working in one, impressive results.) I think it’s time to replace this Titanium PowerBook.
- Will I finally, at long last, have to eat my hat? I can’t find this in our archives, but maybe you can. I seem to remember promising you all that if Apple released an actual, legitimate iPhone, I would eat my hat. AppleInsider is now saying that there is evidence Apple will release just such a device. I’m still highly skeptical, for all the reasons I’ve laid out before, but…Eww. Does one use a fork and knife to eat a baseball cap? (Also: would it have killed Apple to release the iPhone before I just bought a new one?)
- Khoi Vinh is really impressed by OmniWeb 5.5, which now uses a stock WebKit rather than the branched version it’d been using since the original OmniWeb 5 release. I have a lot of respect for Khoi, so perhaps when my computer is not on the verge of collapse, I will try it. In a similar vein, Brent Simmons predicts applications are going to rely more and more on a hybrid desktop-Web model, since Apple’s underlying HTML glue takes care of so much of the hard work. This is very exciting.
- TidBITS’ Matt Neuberg rails this month on what he believes is the decline of WWDC. Scott Stevenson thinks he’s crazy—or has too-high expectations. I report, you decide.