“Apple on Thursday released a Security and AirPort update for Mac OS X that fixes vulnerabilities found in the company’s wireless drivers. Apple said the issues found were the result of an internal audit of the software drivers and that no known exploits exist for the issues addressed in this update,” Jim Dalrymple reports for Macworld.
“The internal audit came as a result of claims by a senior researcher at SecureWorks that said he had revealed a vulnerability in Apple’s MacBook wireless software driver that would allow him to take control of the machine. SecureWorks later clarified its position and said it had used a third-party driver and not Apple’s driver,” Dalrymple reports.
Dalrymple reports, “Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way. ‘They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,’ Apple spokesman, Anuj Nayar, told Macworld. ‘Today’s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.'”
More in the full article here.
Related articles:
Apple releases AirPort Update 2006-001 and Security Update 2006-005 – September 21, 2006
SecureWorks admits falsifying Apple MacBook ‘60-second wireless hijacking?’ – August 18, 2006
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Hijacking an Apple Macbook in 60 seconds video posted online – August 03, 2006
Hijacking an Apple Macbook in 60 seconds – August 02, 2006
And what does this have to do with the Zune?
Tommy Boy…..are you sniffing my glue again?
tommy boy
this is a code brown . . simple
There’s only one thing those boys at Secure know how to Work and it’s not a driver
Fantastic.
This SecureWorks situation is a classic case of misinformation. (command control d + mouse over “misinformation” for a explaination)
The fact is Apple DID issue a security update that DOES FIX wireless exploit(s) in Apple hardware/software.
What do you think a “black hat” is anyway? I’m glad they wanted to piss us off or nobody would have ever known about a serious exploit.
Has anyone here worked for Apple security channels? Then you’ll know they want YOU to find the bugs.
Apple is notoriously lazy when it comes to checking their code.
For instance the launchd exploit, a malformed line of code that left all 10.4-10.4.6 Mac’s completely vunerable. Could have been easily caught if code checking software was used before release.
Here again is a update for wireless software, because APPLE DID A INTERNAL AUDIT.
Now why didn’t Apple do this BEFORE RELEASING THE CODE?
I remmember contacting Apple about the URL handler exploits of 10.3, they just ignored my phone calls and emails to their security channels.
Finally when the exploit made the press did Apple act, just like in this case.
SecureWorks did the right thing, they forced Apple to do their own work..
Kudo’s to SecureWorks and thanks for pissing us off and bringing attention to Apple’s lazy security behavior.
l33th@xx0rz posted this FUD in an earlier thread….
Oh yeah, l33th@xx0rz, I guess next time, every Black Hat attendee can film themselves “cracking” a Mac and then say, “Look! We found a security vulnerability is OS X!”
Then a hundred of them can sit around and simple wait for Apple to release a patch for some unrelated issue, and then say, “Oh yeah! Party! We forced Apple to do their jobs by making them aware of security issues in OS X!”
Yeah, right.
l33th@xx0rz’s logic is as ridiculous as his handle. A lot of characters, saying nothing.
133th@xx0rz,
Give us a list of Mac OS X exploits.
Not a list of patched vulnerabilities but a list of exploits.
Not a list of exploits that were publicized by AV software company reps after the patch was released by Apple but a list of Mac OS X exploits that could bring down my computer as I type this.
Hint, there are none.
By the way, here’s a simple explanation that solves the problem of security researchers refusing to share the details of their “research.”
Basically, SecureWorks found indications that there might be a way to hack the wireless protocols. However, they were unable to nail it down in time for the Black Hat conference.
Still, being cock-sure hackers, they felt it would simple be a matter of time. So they rigged a demo to show how the hack was supposed to work even though they hadn’t figured out exactly how to get it working for real. After all, once they figured it out, it would be the same thing as what the simulation showed, right?
Unfortunately, the guys at SecureWorks fell into their own trap. It turned out they were not smart enough to actually come up with the exploit, which explains their absolute refusual to show the details of their exploit to anyone. So they spend the last month doing everything but show the exploit, whether to Apple, 3rd party developers, or other bona fide security researchers.
During this time, Apple finds other vulnerabilities and patches them. The SecureWorks guys are still flailing around trying to get their original exploit to work.
Chances are, with Apple now having done a thorough internal audit, the chances that the original exploit was real just goes down. SecureWorks will put out a lame statement saying, “This is exactly what we intended, to force Apple to fix vulnerabilities in OS X,” which is the logical equivalnet of saying, “We predict a burglary will occur sometime in the future in this country. The government should be doing its job to prevent such burglaries instead of sitting on their asses. You heard it from us, heroes all, for forcing the government to do its job in preventing burglaries.”
Just goes to show you, there is no limit on idiocy these days.
‘Today’s update preemptively strengthens our drivers against potential vulnerabilities …’
You may now return to Defcon 2
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
“Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way.”
I think these guys should crawl back in their hole now they have been exposed as frauds. I mean if they wont take the challenge of replicating it and thus winning two free laptops, then we know they are full of it.
Give us a list of Mac OS X exploits.
Not a list of patched vulnerabilities but a list of exploits.
Not a list of exploits that were publicized by AV software company reps after the patch was released by Apple but a list of Mac OS X exploits that could bring down my computer as I type this.
Ok, I’ll give just one, extremely critical, remote system access exploit for Mac OS X to prove you wrong. There are others, but I’m not here to feed the script kiddies.
secunia.com/mac_os_x_command_execution_vulnerability_test/
Paste this in your url bar, it’s a link to a “proof of concept” at Secunia.com. It’s harmless.
Click the “Test” and watch in horror what happens.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
Now to prevent someone using this against you, look at Macupdate.com for “Safe Terminal”
Apple has known about this exploit for ages, only did a partial fix. Still millions are exposed.
Then a hundred of them can sit around and simple wait for Apple to release a patch for some unrelated issue, and then say, “Oh yeah! Party! We forced Apple to do their jobs by making them aware of security issues in OS X!”
Given Apple’s poor security record lately, I’ll take any motivation that brings the security issues to light.
l33th@xx0rz
I clicked, nothing happened. I got a file download dialogue. I clicked No.
“l33th@xx0rz”:
I clicked the ‘test’ link and all that happened was that some file downloaded and then did nothing. What is so horrifying about this?
l33th@xx0rz you are a total joke. With a nickname like that, I would say YOU are a script kiddie WANNABE ! You should change it to A$$H0L3 !
By the way, I’ve clicked that Secunia test and nothing happened. What an exploit….
You couldn’t find an exploit on a PC running Windows 1.0 ! Grow up!
l33th@xx0rz
1. I clicked the link.
2. It asked me to authorize the download, which I did.
3. I had to manually open up the “Secunia.mov” file (which looked like a Terminal document, not a QuickTime movie). Running the script opened Calculator, so I’m vulnerable. Yippea!
That’s a social engineering exploit. I could write one of those in Applescript.
Nothing to worry about.
“Given Apple’s poor security record lately, I’ll take any motivation that brings the security issues to light.”
You’re trying to be funny, right? There’s yet to be a Mac OS X exploit in the wild after 5 years. Windows has a new exploit in the wild every 5 minutes. What does Microsoft do about them? How many CPU cycles does the average Windows box waste running 3rd party AV software? Does Microsoft even care? Apparently not enough to eliminate the registry and ActiveX. It was a Windows server, not Mac, not Unix, not Linux that allowed millions of credit card accounts to be compromised recently in Arizona. Let’s face facts. Nobody bothers pointing out security flaws in Windows because it’s not news. The average 12 year old can write one. Get a life.
John Gruber, as usual, has an awesome take on the issue. http://daringfireball.net/
and concerning the BlackHat shown on a MacBook, Apple explicitly says:
This issue affects Power
Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini,
MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue.
Not affected: MacBook and MacBook Pro. One more proof the demo at BlackHat was really bad thing to do.
l33th@xx0r you are PATHETIC.
What’s there to see in that link. OHHHHH the horror: nothing happened.
P A T H E T I C
’nuff said.
l33th@xx0r, without going into the details of what happens in the “OH MY, HORROR” things that makes you so much worried. There is NO WAY any OS could protect the users from their own idiocy. I could send you an Applescript that wipes out you HD if you follow instructions and click YES when OS X asks you “Are you truly 100% sure you want to do this?”. And you click yes.
No computer is safe in the hands of idiots: I now understand why you feel unsafe.
Didn’t work on my machine running Firefox. A download window popped up telling me: You have chosen to open Secunia.mov.zip. . . .
Now go back down to the basement and keep working on your perpetual motion machine.
Done via software update sans any probs.