Apple Plugs Wi-Fi Security Holes

Apple on Friday issued a security update for Mac OS X that plugs a trio of holes in its wireless network subsystem, which could potentially allow an attacker to take control of an affected system. All three of the patches involve Mac OS X version 10.4, while one is also for version 10.3.

"Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution," Apple says of two of the fixes. One involves a heap overflow the AirPort wireless driver's handling of scan cache updates. The other covers two stack buffer overflows in the AirPort wireless driver's handling of malformed frames.

The third patch resolves an issue with third party wireless drivers and software that could cause the operating system to crash or execute arbitrary code. "An integer overflow exists in the Airport wireless driver's API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage," Apple says.

The company notes that no application is known to be affected by this flaw, which only involves Intel-based Macs. The patch is still notable, however, due to claims at the Black Hat conference in August that an Apple MacBook could be compromised in less than 60 seconds due to a buggy wireless driver.

The individuals behind this claim, David Maynor and Jon Ellch, approached Apple on the subject but never provided specifics of the alleged flaw - which they demonstrated on video using a third party USB wireless network adapter. The claims drew fire from Mac enthusiasts who questioned their validity, and both Maynor and Ellch have since refused to provide more details.

As a result, Apple initiated a security audit on its own, which led to the discover of the flaws patched Friday. The company is quick to point out that there is no actual exploit for the third party driver issue, but it could foresee an issue with unchecked wireless frames, which now get additional validation following the update.

"By this analogy, Maynor and Ellch’s demonstration video was the equivalent of an intruder entering the building, walking into the executive suite, and taking a dump on the CEO’s desk. But according to Apple, Maynor and Ellch never demonstrated that they could get through the front door — they merely offered the suggestion that Apple should validate Wi-Fi frames as a precaution," remarked Mac pundit John Gruber, who has been following the story.