AirPort安全更新和假设的MacBook Wi-Fi Hack

今天的AirPort安全更新来自Apple的八月份“MacBook Wi-Fi Hack”传奇重新开始。

第一期,CVE-2006-3507,“影响配备无线功能的Power Mac,PowerBook,iMac,Mac Pro,Xserve和基于PowerPC的Mac mini电脑基于英特尔的Mac mini,MacBook和MacBook Pro计算机不会受到影响。“我相信这与带有Broadcom芯片组的AirPort卡的Mac相对应。

第二期,CVE-2006-3508,“影响配备无线功能的基于Intel的Mac mini,MacBook和MacBook Pro计算机Power Mac,PowerBook,iMac,Mac Pro,Xserve和基于PowerPC的Mac mini计算机不受影响。“此受影响计算机列表对应AirPort卡基于Atheros芯片组的计算机。

Under all normal circumstances, Mac users don’t have to worry about these AirPort chipset differences — from a user’s perspective, AirPort is AirPort, and the UI for turning it on and off and configuring it is the same regardless of which chipset constitutes the guts of your machine’s AirPort card但是,由于这些芯片组完全不同,因此需要单独的低级驱动程序软件因此,两个单独的补丁。

Apple对第一个的描述,CVE-2006-3507:

Two separate stack buffer overflows exist in the AirPort wireless driver’s handling of malformed framesAn attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless networkWhen the AirPort is on, this could lead to arbitrary code execution with system privileges

Apple对第二部分CVE-2006-3508的描述:

A heap buffer overflow exists in the AirPort wireless driver’s handling of scan cache updatesAn attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless networkThis could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges.

我绝不是一个设备驱动程序员,但我对这些描述的解读是这两个补丁并不完全相同 -堆栈和堆是不同的东西一方面 - 但从广义上讲,它们解决了涉及“格式错误”或“恶意制作”Wi-Fi“框架”的类似问题。

第三个问题,CVE-2006-3509,也处理“恶意制作”的帧,这次导致整数溢出错误,但不是在特定的驱动程序中,是在AirPort API中第三方无线软件它只会影响MacBook,MacBook Pro和基于Intel的Mac Mini。

所有三个描述包括以下声明:

  • “这个问题没有已知的漏洞。”
  • “此更新通过执行无线帧的附加验证来解决问题。”

Apple进一步指出,没有已知的应用受到第三个问题的影响。

“No known exploit” does not just mean that there aren’t any attacks in the wild; it means没有人has demonstrated to Apple a way to take advantage of these frame validation issues他们修复它们以消除潜在利用,而不是解决实际的,已知的战功。

关于David Maynor和Jon Ellch

如果没有发生上个月的“劫持MacBook 60秒或更短时间”的传奇故事,这不会是一个特别值得注意的安全更新但那个传奇没有发生,所以更新是值得注意的苹果公司继续发起进攻,向新闻界发表声明,明确指出这些修复措施并未解决David Maynor,Jon Ellch或SecureWorks报告的任何特定漏洞。

苹果发言人Anuj Nayar告诉Macworld的Jim Dalrymple

“[SecureWorks] did not supply us with any information to allow us to identify a specific problem, so we initiated an internal auditToday’s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.”

My translation of “we are open to hearing from security researchers on how to improve the security” is “We’re not in the business of besmirching the reputations of security researchers who report problems in Mac OS X, but we are not going to sit back and take it when someone grossly exaggerates or lies about a threat.”

纳亚尔告诉华盛顿邮报的Brian Krebs(克雷布斯,当然,负责原始媒体狂热):

“Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affect the wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problemSo we initiated our own internal product audit, and in the course of doing so found these flaws.”

如果Maynor和Ellch的原始声明的范围是“我们还没有发现任何针对Apple的AirPort驱动程序的实际攻击,但相信可能存在这样的漏洞,因为这些驱动程序无法防止格式错误的帧,“他们肯定会因为煽动苹果公司的审计而引起一些自豪感。

但这不是Maynor和Ellch声称的他们对第三方的视频演示(即不是来自Apple)USB Wi-FI卡显示攻击者在受攻击的机器上获得远程外壳,他们的声明表明他们发现了针对Apple内置驱动程序的类似漏洞Krebs今天重申了他的说法,Maynor私下向他展示了使用内置AirPort卡对MacBook的攻击:

I first wrote about this issue at the Black Hat hacker conference in Las Vegas roughly two months ago, where I witnessed security researcher David Maynor compromising a Macbook from a Windows machine remotely using what he said were flaws in the built-in wireless drivers.

The videotaped demo produced by Maynor and colleague John Ellch shown to Black Hat attendees deliberately used a third-party USB wireless card plugged into a MacbookTo demonstrate the exploit with the Apple wireless drivers before giving the company time to inspect and fix them, they argued, would be irresponsible.

根据Apple的说法,Maynor和Ellch从来没有向他们展示任何这样的漏洞,Apple仍然没有意识到任何此类攻击看起来,Maynor和Ellch认为AirPort司机处理格式错误的框架存在缺陷,但必须满足以下条件之一:

  • Maynor和Ellch做到了find an actual exploit against Apple’s built-in AirPort drivers, but bamboozled and lied to Brian Krebs (and let’s not forget乔治欧他们有。

  • 梅诺和埃尔奇没有find such an exploit, but never showed or proved it to Apple.

  • Maynor和Ellch都发现了这样的漏洞showed it to Apple, and Apple continues to lie about what Maynor and Ellch showed them.


这是一个松散的类比Imagine Apple’s AirPort code as an office building, where, previously, it was assumed that intruders (malicious Wi-Fi frames) could not get past the front doors, and that everyone who was inside the building was a legitimate employee (a legitimate Wi-Fi frame) and was free to do what they wanted所以,现在(即在安全更新之后),在任何人进入建筑物之后,他们的身份被验证(“无线帧的附加验证”)。

通过这个类比,Maynor和Ellch的演示视频相当于一个入侵者进入大楼,走进行政套房,并在首席执行官的桌子上倾倒但根据Apple的说法,Maynor和Ellch从未证明他们可以通过前门 - 他们只是提出Apple应该验证Wi-Fi帧作为预防措施的建议。

所以克雷布斯错了今天写道

But one thing now appears quite clear: The built-in wireless device drivers are indeed vulnerable to exploitation in a manner very similar to what Ellch and Maynor detailed in their presentation.

因为这一点根本不清楚 - Apple的AirPort代码现在正在执行额外的验证以防止此类攻击,但仍然没有证据表明此类攻击存在(或在安全更新发布之前存在)很明显,Apple找到了他们的方法威力一直很脆弱。

正如我总结的那样“假设的MacBook Wi-Fi Hack的奇怪案例“:

It is a simple yes or no question: Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple’s built-in cards and drivers? That Maynor and Ellch haven’t answered it speaks volumes.

苹果今天提供了他们的答案:是的,AirPort有缺陷需要修复,但不是,Maynor和Ellch既没有发现也没有利用它们。

Maynor和Ellch唯一可靠的信誉就是苹果公司说谎如果是这样的话,Maynor和Ellch可以简单地向前迈进并证明它在他今天的安全更新报道结束时,Glenn Fleishman写道

The next step here, if Maynor and Ellch are still maintaining that they had discovered a vulnerability as related by Brian Krebs’s reporting on it, is for the two researchers or SecureWorks to release everything they have on this to show that Apple is being disingenuousBecause SecureWorks is now off the hook, right? I don’t think there’s a chance that we’ll see that happen.

Were Apple to be lying about any of this isn’t credible; that’s a huge risk for a multi-billion-dollar public company to takeI believe this might be the last we hear about this.

让我们期待。