Three critical holes in Apple's Airport driver
Apple has released new drivers that close four critical security holes in the Mac OS's WLAN support. Attackers could use rigged WLAN packets to plant and execute malicious code on vulnerable systems in their physical proximity. Three of the holes are related to buffer overflows on the stack and the heap and could allow code to be executed with system rights. The modifications affect Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve and Mac mini computers based on PowerPC that use Airport. Mac mini, MacBook and MacBook Pro computers equipped with Intel hardware are not affected.
The cause of the fourth hole is a buffer overflow in the API for WLAN software from third-party manufacturers. This would only allow for a smuggled program to be launched with the registered user's privileges. Unlike the three holes mentioned above, this hole affects only systems with Intel chips: Mac mini, MacBook and MacBook Pro. This hole is not found on PCs based on PowerPC chips.
Apple has released updates for Apple Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.7 and Mac OS X Server 10.4.7 that remove the problem. Apple has reported that it has not observed any exploits circulating that take advantage of the vulnerability, but is nevertheless recommending that users apply the patches as soon as possible.
Back during the Blackhat conference in August, security specialists David Maynor and Jon Ellch suggested that the Mac OS faced a serious problem, but came under heavy criticism because they declined to publish any further details on the matter. They instead hinted that Apple had muzzled them. Apple for its part disputed any knowledge of critical holes in the wireless functionality of its software. In early August, security concerns also forced Intel to update the WLAN drivers for Centrino laptops.
- About the security content of AirPort Update 2006-001 and Security Update 2006-005, problem description from Apple