Apple fixes yet another AirPort security hole
 
Apple today released, via Software Update, a fix to yet another AirPort bug that could result in decreased security for certain Intel Macs (apparently Core Duo Macs, but not the more recent Core 2 Duo ones) on wireless networks. This bug, like some of the others, was found as part of last year’s Month of Kernel Bugs project (not, as has been incorrectly reported, as part of this month’s Month of Apple Bugs project by the same researchers).
 
The bug enables a nearby attacker to crash your Macintosh, and, theoretically but probably not practically, take control of it (Apple only acknowledges the crash part in the documentation accompanying the fix).
 
Despite the recent MOAB project (actually, partially because of it), Mac OS X has proven to have very few significant vulnerabilities. But AirPort (WiFi) has been a somewhat glaring exception to that rule (over 10% of the entries in this blog have talked about it). AirPort’s vulnerabilities are also particularly worrisome because they can be exploited by a local attacker even if your machine is not on the Internet. It’s unlikely your neighbor will try to attack you, but it’s much more likely someone will sit in, or near, a local coffee shop looking for “marks.”
 
AirPort/WiFi is one of the areas we expanded our coverage on in the just-released update to our book. Here’s part of that expanded coverage:
 
  1. Rogue access points have also recently been used to try to hack into machines that just happen to be in their vicinity. Using vulnerabilities discovered in machines’ underlying wireless software, it’s theoretically possible that a rogue access point could take over a machine even if that machine doesn’t try to join a wireless network. Apple has recently found and fixed a couple vulnerabilities in Mac OS X in this area.
 
So it’s highly recommended that, if you use wireless, you spend some time going through Chapter 16 of the new book and doing whatever you can to secure your machine. And of course install Apple’s most recent update if it applies to you.
  1.  
 
Friday, January 26, 2007