Most Popular Articles
- MobileMe Mail and Gmail Go Down Simultaneously (11 Aug 2008)
- Comparing Apple's MobileMe Contrition with Google and Netflix (19 Aug 2008)
- Jobs Personally Acknowledges iPhone Bug and Upcoming Fix (19 Aug 2008)
- Searching for the iPhone 3G Case of My Dreams (30 Aug 2008)
Recent TidBITS Talk Discussions
- Google Chrome (37 messages)
- 10.3.9 to 10.5.1 - use Migration Assistant? (12 messages)
- How to Protect Yourself From The New Mac OS X Trojans (31 messages)
- Creating/Burning DVD Disk Images (4 messages)
Related Articles
- Unpatched Macs Face Bluetooth Root Exploit (30 Oct 06)
- Apple Issues Careful Wi-Fi Exploit Denial (28 Aug 06)
- Wireless Driver Hack Could Target Macs and Windows (07 Aug 06)
Other articles in the series To the Maynor Born: Cache and Crash
- Wi-Fi Exploit Precursor Published One Year Later (21 Sep 07)
- MoAB Is My Washpot (19 Feb 07)
- Security Holes: Two Closed, One Opened (29 Jan 07)
- Another Minor AirPort Vulnerability Exposed (06 Nov 06)
- Apple Issues Careful Wi-Fi Exploit Denial (28 Aug 06)
- Wireless Driver Hack Could Target Macs and Windows (07 Aug 06)
Published in TidBITS 848. Subscribe today to receive TidBITS in email every Monday.
- Disney Sells 125,000 Movies in First Week on iTunes Store
- The Future Beyond Tomorrow, Courtesy of Adobe
- Fission Manipulates Audio Tracks of All Stripes
- Peering into the Future of the Infosphere
- Take Control News/25-Sep-06
- Hot Topics in TidBITS Talk/25-Sep-06
| AirPort Updates Stop Wi-Fi Exploit
Apple last week released a pair of updates, Security Update 2006-005 and AirPort Update 2006-001, which resolve a trio of related potential exploits in which a local attacker could inject a maliciously crafted frame into a wireless network. In theory, such an attack could cause system crashes, execute arbitrary code, or elevate privileges, though Apple took pains to note that there are no known instances of these exploits. Although you can download the individual updates from the Apple Downloads page (only one is necessary), you must pick the correct one for your machine.
Since AirPort Update 2006-001 covers only two specific builds of Mac OS X 10.4.7 - whereas Security Update 2006-005 handles Mac OS X 10.3.9 and other specific builds of Mac OS X 10.4.7 (with different downloads for 10.3.9 and for PowerPC- and Intel-based Macs running 10.4.7) - we encourage you to let Software Update download the correct version for your system. If you're running Mac OS X 10.3.9 and Software Update doesn't show Security Update 2006-005, you must first install AirPort 4.2 and AirPort Extreme Driver Update 2005-001 (I suspect Software Update will provide them as well).
Although Apple's release notes are terse as usual, these updates undoubtedly come in response to the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch at the Black Hat 2006 conference. Apple did not credit Maynor nor Ellch for these fixes, however, which is an implicit statement that Apple refuses to acknowledge that the two researchers contributed to uncovering the flaws. An Apple spokesperson denied that SecureWorks, the firm for which Maynor works, provided information that led to these patches. Rather, the spokesperson told several media outlets and TidBITS that news of the SecureWorks demonstration prompted Apple to conduct an in-depth code audit that led to identifying these vulnerabilities. (See "Wireless Driver Hack Could Target Macs and Windows," 07-Aug-06 and "Apple Issues Careful Wi-Fi Exploit Denial," 28-Aug-06.) SecureWorks has not responded to any media outlet with additional clarification at press time; the company is also in the middle of a merger, which could be why they're not commenting. What's most important is that Mac users who apply the patches are no longer vulnerable to these particular exploits.
WebCrossing Neighbors Creates Private Social NetworksCreate a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>