更新MacBook Wi-Fi漏洞利用挑战

我的“通过Wi-Fi劫持这款全新的MacBook,这是你的“David Maynor和Jon Ellch的挑战尚未被接受,但我还有一些额外的要点需要解决。


吉姆汤普森如果Maynor和Ellch在我的挑战中取得成功,我已经多次与这个问题进行了自己的报道,提供了第二个匹配的MacBook。这不仅会使奖金增加一倍,而且还应该让Maynor和Ellch更容易分割他们的奖金 - 无论如何,分割单​​个MacBook并不会有多大乐趣。


如果我失去这一挑战,数十名DF读者会通过电子邮件向我们提供捐款以支付MacBook费用这既慷慨又令人鼓舞,我衷心感谢所有提供的人但是,现在,请保留你的钱如果我输了 - 在我看来是一个很大的“如果” - 我会设置一个DropCash为人们做出贡献的运动但是,如果我失败,我完全愿意承担这项挑战。




事实并非如此华盛顿邮报的Brian Krebs打破了局面本事,写了以下内容在第二天的后续行动中

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers — mainly because Apple had not fixed the problem yetMaynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook driversBut he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitableAnd that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.


I have several times now asked SecureWorks to share with me more specific information to back up their claims, but so far I have received no further detailsIf I hear back from SecureWorks with any more material information, I will update the blog.


[Q:] I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its [SIC] not, who is right?

[答:]他们俩都是The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in [SIC]卡We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.


When repeatedly asked different formations of the obvious question as to why they chose to demonstrate their exploit against a third-party wireless card and driver, they have never responded by saying “Because we have not found a way to perform this exploit against the built-in MacBook card and driver.” Instead, they’ve said, more or less, that they don’t want to demonstrate this exploit against the built-in card.


对我来说没有任何意义,他们甚至不会确认存在对股票MacBook驱动程序和卡的类似漏洞利用Why not? So that some malfeasant wouldn’t get the idea to investigate and discover the details for himself? Surely that is no less likely to happen given what has actually transpired.

为什么拒绝说“是”或“不”,而是暗示那里威力be one? Their ambiguity makes it every bit as likely that a malfeasant would investigate on his own than if they had came right out and said, “We have identified a vulnerability in the default MacBook Wi-Fi driver and card, but we are not releasing any details of this vulnerability until Apple has time to issue a patch.” “We have found an exploit” is not much different than “we may or may not have found an exploit” in this regard.



还有一种猖獗的猜测,即Maynor和Ellch现在对此问题一无所知,因为他们受到Apple Legal的威胁例如,最初的“苹果已经倾向于Maynor和Ellch很难不将这个问题视为关于Mac驱动程序”的克雷布斯报道的指控。

但是,正如所指出的那样MDJ上周(作为他们关于传奇的优秀专题文章的一部分),当克雷布斯随后发布他对Maynor采访的“逐字逐句”成绩单它没有提到这种威胁来自MDJ 2006.08.30:

For example, at one point in the transcript, Maynor says that to do the raw packet injection that the exploit requires, “we had to build our own custom kernel.” Krebs, distressingly, does not ask if that means the MacBook is running a modified kernel, one that might be more vulnerable than the one everyone else is runningAlso missing from the transcript: the part of the interview where Maynor says that Apple, or in fact any vendor, pressured him not to demonstrate the exploitIn the “verbatim” transcript that Krebs posted, Maynor mentions Apple only twice: once to say that it’s “cool” they can demonstrate the problem on an Apple computer, and once to say that he and Ellch “talked to Apple today.” Even that’s not clear, as we’ll see shortly.

上周末,在“Dailydave”邮件列表中,Jon Ellch打破了他对传奇的沉默并写道

As everyone has noticed by now, we haven’t said anything in public about this attack yet有两个原因。

1) Secureworks absolutely insists on being exceedingly responsible and doesn’t want to release any details about anything until Apple issues a patchWhether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation.

毫无疑问,怀疑在这个传奇中,Maynor / Ellch / SecureWorks在某些时候被Apple Legal联系了However, if they were, why the elliptical allusions to the threat? If they know about an exploit and can’t say anything about it because they’ve been threatened by Apple Legal, they should at least be able to say “We can’t say anything because Apple has filed an injunction against us.” An injunction prohibiting them from commenting on the exploit wouldn’t disallow them from acknowledging that they’d received such an injunctionApple Legal不能简单地强加“你不会谈论这个漏洞,你甚至不会说你不被允许谈论这个漏洞利用”gag命令对他们说堵嘴订单只能由法院签发,而且很难找到当他们发布,它们适用于双方,而不仅仅是苹果发言人两周前林恩福克斯的陈述,这似乎极不可能在这里发行。


如果Maynor / Ellch / SecureWorks被Apple公正欺负,那真是太遗憾了,当谈到光明时,我会像任何人一样愤怒这肯定不是我第一次来批评苹果对安全问题的反应然而,到目前为止,我们还没有看到证据证明是这种情况。


  1. 比黑色的还贵。↩︎