digg

Facebook Connect Join Digg About

Apple: Macs vulnerable to Wi-Fi hijacks

news.com.com "Attackers on the wireless network may cause arbitrary code execution," Apple said in the alert describing one of the flaws. "Arbitrary code execution" means the intruder can commandeer the system.

Who dugg this? Made popular Sep 22, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

Warning: The Content in this Article May be Inaccurate

Readers have reported that this story contains information that may not be accurate.

49 Comments

show profanity settings
expand all
  • Cannon13, on 10/12/2007, -9/+44Let's see here;

    - There are no known exploits of any of these vulnerabilities.
    - Apple has released an update fixing all of them.
    - Secureworks was never able to even prove their existence.

    But everyone diggs it anyways because it's a *potential* flaw in Macs. Go figure.

  • bt0127, on 10/12/2007, -2/+15They didn't give credit to David Maynor because he didn't discover the flaws.
  • cmiller1, on 10/12/2007, -1/+12uhhh... didn't you see the whole controversy over that video and those "hackers"?
  • caliform, on 10/12/2007, -4/+11Oh, that website isn't a sensationalist if I ever saw one:

    "611 Defects, 71 Vulnerabilities Found In Firefox"

    Oh yeah, that's a real accurate headline.
  • mww2, on 10/12/2007, -5/+12Yep. Because it's legitimately inaccurate.
  • rasterbator, on 10/12/2007, -1/+6The story references the Black Hat conference hack, which was proven to be false, and the dudes who presented it were called out on daringfireball.org

    Inaccurate

    The issues they fixed were not theones presented at the Black Hat conference, because that presentation was fake. And if your wireless is insecure, any platform is vulnerable, NOT just Apple. And this most likely would only affect IDIOTS who run in Administrator mode on OS X platform, in which many articles have come out telling users to NOT run in Administrator mode.
  • theheadguy, on 10/12/2007, -6/+11This is too funny. Did CNET or Joris Evers (the writer) report this BEFORE the
    FIX was out? Their late reporting and spin on the title makes this
    less serious and more of a joke.

    Also, he links to a video that has been proven to be a fake. Time to
    send this to the corrections page. Morons.
  • smeager, on 10/12/2007, -3/+8@arthurbarnhouse

    You are correct. Here is an out-cert from a MacWorld Article on this:

    Apple on Thursday released a Security and Airport update for Mac OS X that fixes vulnerabilities found in the company’s wireless drivers. Apple said the issues found were the result of an internal audit of the software drivers and that no known exploits exist for the issues addressed in this update.

    The internal audit came as a result of claims by a senior researcher at SecureWorks that said he had revealed a vulnerability in Apple’s MacBook wireless software driver that would allow him to take control of the machine. SecureWorks later clarified its position and said it had used a third-party driver and not Apple’s driver.

    Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way.

    “They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,” Apple spokesman, Anuj Nayar, told Macworld. “Today’s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.”

    http://www.macworld.com/news/2006/09/21/wireless/index.php

    Besides David Maynor even said that the vulnerability was with a "third-party" device and not the one provided / installed bydefaultt by Apple.

    I will tell you one thing, my wifi on my iMac G5 works better then ever after this update.
  • StarManta, on 10/12/2007, -1/+5The curoius thing is that we still don't know whether Secureworks actually found anything in Airport or not. On the one hand, there is (was) a vulnerability, which suggests they might have.

    But on the other hand, Apple says SW never provided them details of the exploit, which I would expect would be their first order of business - expecially given the face they put on to the public.

    Further, the fact that they did not respond to the opportunity for a free Macbook seals the deal for me in that they didn't actually find one.

    But Apple did.
  • AssProphet, on 10/12/2007, -6/+10Yep.. I just decided to randomly run software update a few hours ago, before this story even hit digg, and I wondered why I had an airport update... Talk about being on the ball! I wonder how long it will be before IE is fixed.
  • klawz, on 10/12/2007, -2/+5Yea and if MS said the same thing, in the same context, for the same issue, in the same circumstances, people would call them liars, and political posturing.
  • VanillaBaron, on 10/12/2007, -0/+3No, the article didn't suggest that. Read it again.

    It mentions the updates, it mentions the prior "hack", but it only ever links the two by quoting Apple's denial of any association.

    This article is not inaccurate, because it does NOT suggest or imply a link between these latest updates and the Systematic hack/nonsense/whatever it was.
  • colincornaby, on 10/12/2007, -2/+5"who the hell said windows?

    I read "What hacker would want a mac"
    no "what hacker would want a mac, they all use windows"
    so what the hell are you on about?"

    Ummmm... If a hacker is going to want *nix why the hell would they have a problem with owning a Mac?
  • meatmcguffin, on 10/12/2007, -2/+5Macbook prize? I think you might be talking about daringfireball.net and the unrelated attack a while back. The author challenged the 'hackers' to repeat their performance using standard Apple components instead of the non-standard easy-to-hack ones that they used the first time around. Seeing as the hack has been scrutinised for months all over the web followed by Apple releasing a first-of-its-kind airport update, i reckon the hackers would've lost miserably.

    And i'm guessing the kind of hacker that wants a mac is the kind of hacker that is fed up with easy targets and wants a challenge.
  • arthurbarnhouse, on 10/12/2007, -3/+6Nope. Apple says this came from an internal audit of the airport and its firmware. Systematic has still not given them any information about the supposed exploit that was shown at the black hat expo.
  • maninblac1, on 10/12/2007, -0/+3I smell a rat, i don't know, but all of it seems fishy to me, secureworks makes the claim, gives no proof, apple patches a wi-fi exploit on the drivers. Which is as secureworks claims, either this is very peculiar coincidence, or i smell a rat.

    As i see it, apple looked for the bugs claimed and found them, the fact that secureworks never pointed them out is also suspect, but for secureworks to say hey we found something, then a few weeks later someone finds something. Interesting if you ask me. Now you can say that enough monkeys with enough typewriters etc etc, but given apples pretty solid security record, it's a pretty shady coincidence if you ask me.
  • outrageous1, on 10/12/2007, -1/+3Of course they found it during an internal audit ... as soon as the BlackHat report went out on the third party stack, they got scared and started to poke around in their stack. That's just CYA testing.
  • StarManta, on 10/12/2007, -3/+5"and have never been on a date, much less hacked anybody without some program they downloaded on Limewire."

    You say that as if th Linux-using hackers have ever been on dates.
  • inactive, on 10/12/2007, -2/+4For those of you that didn't take the time to READ the article:

    "But Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, the representative said."
  • colincornaby, on 10/12/2007, -5/+7"What kind of hacker wants a mac?"

    I guarantee you, no serious hacker would want Windows. Hell, if you try to use Windows in a lot of computer science classes you'll be laughed out of the room. Serious hackers and geeks use *nix, whether it's Linux, plain jane UNIX, or Mac OS X. The kinds of hackers that actually USE Windows are the kind that live in their parents basement, wear glasses, and have never been on a date, much less hacked anybody without some program they downloaded on Limewire.
  • colincornaby, on 10/12/2007, -1/+3Of note, this isn't the same flaw that those two hackers found. Apple never got a demonstration from those guys, or was contacted by them at all. Instead, they did an internal audit and found a few bugs that could be used as points of entry. This is what the patch fixes. The two hackers have still not demonstrated a flaw in the default Airport setup.
  • maninblac1, on 10/12/2007, -0/+1I'm saying that either systemworks was taking a shot in the dark and won. Or apple is hiding the fact that they were right.
  • TheReport, on 10/12/2007, -1/+2"What kind of hacker wants a mac?"

    One who has access to bash...
  • porkstacker, on 10/12/2007, -1/+2This inaccurate ***** again? Who keeps posting this crap?
  • mbish0p, on 10/12/2007, -0/+1Just because people see through it, doesn't mean they didn't read it.
  • Doogie125, on 10/12/2007, -0/+1Also, Maynor and Elch ought to be in pretty good shape to say, "I told you so!" if they can prove that these were the same vulnerabilities that they were talking about.

    This time they will likely be prepared for some close scrutiny.

    If they did find these and lit a fire under Apple's (vulnerable spot) then congratulations and *** THANKS! *** from a PowerBook user.
  • porkstacker, on 10/12/2007, -0/+1"uhhh.. didnt u geeks alrdy c this video.. ya kno the one where the guy completely pwns a mac computer in the same room using wifi... creates files and deletes em... bout 5 months ago...."

    Wow, you do not know how to spell complete words!!! Please finish 3rd grade before posting on Digg.com... besides, shouldn’t you be doing your homework before your mom comes home?
  • arthurbarnhouse, on 10/12/2007, -1/+2I guess I don't understand the implications of your statement. Are you suggesting that Apple isn't crediting Systematic for their work in an effort to discredit them while releasing a patch for the exploit? Or are you suggesting that the patch is related to the exploit, but Systematic still hasn't offered help?
  • timdorr, on 10/12/2007, -2/+3"Started"?

    http://docs.info.apple.com/article.html?artnum=25631
    http://docs.info.apple.com/article.html?artnum=300667
    http://docs.info.apple.com/article.html?artnum=61798

    Apple's been addressing security issues for years now.
  • meatmcguffin, on 10/12/2007, -4/+5Ignore. Stupid bloody comment system
  • haxorthematrix, on 10/12/2007, -0/+0There is a duplicate of this story. I said it on that one, and I'll say it on this:

    Looks like the guys over at Pauldotcom Security Weekly told every one so:

    http://www.pauldotcom.com/2006/09/10/hi_im_a_mac.html

    Ha-Ha!
  • Focher, on 10/12/2007, -0/+0What actually might be interesting would be a clarification that the security exploit probably requires the exploiter to already be on the wireless network. Therefore, it would only work on an open AP or where the exploiter has already managed to join the encrypted network.
  • arthurbarnhouse, on 10/12/2007, -2/+2Is inaccurate. The article suggests this is directly related to the black hat exploit, which it is not. Systematic has not offered any proof of the exploit, and these patch has come from an internal audit on Apple's part of the macbook wifi.
  • Doogie125, on 10/12/2007, -0/+0Clearly Apple, Maynor and Elch all have incentives both to lie and to tell the truth and perhaps use some mixture truth and fiction. What do any of the parties have to gain or lose?

    Apple clearly is going to look bad if it is implying very strongly in its advertising that it is secure and somebody demonstrates that it is not. How does this compare to claiming that there is no vulnerability when one does in fact exist? They'll look worse if people think that they were lying. On balance, I'd say Apple would be better off telling the hard truth if an exploit exists.

    Maynor and Elch made an extraordinary splash by claiming that they had found an exploit in Macs. This is the upside for them, whether the story is true or not. In the end, their names are known whether or not their allegations are true. Their coyness since the Blackhat conference has simply added fuel to the fire. What is the downside for them? Perhaps that Elch's book will drop lower than it's current Amazon sales rank among books of #768,228? I wonder if the number would be that high without all of the free publicity?
  • Murdats, on 10/12/2007, -4/+3who the hell said windows?

    I read "What hacker would want a mac"
    no "what hacker would want a mac, they all use windows"
    so what the hell are you on about?
  • kungfuhacker, on 10/12/2007, -2/+1To everyone who still thinks this has nothing to do with Maynor and Cache's research, where is the evidence that their talk is a fraud? How about this, lets see what they come up with for Toorcon before you start ripping them apart:

    http://toorcon.org/2006/conference.html?id=5

    "Apple would never lie."

    Apple hsa something to gain by lying, cache and maynor have nothing to gain by lying.

    So, back off, and get all your facts straight. Oh, BTW, Steve Jobs just called and asked that all Mac users jump off a bridge (splash, splash, splash....)
  • Soulhuntre, on 10/12/2007, -6/+3Apple would never lie.
  • inactive, on 10/12/2007, -7/+3NOT inaccurate.
  • straylight, on 10/12/2007, -5/+1not at all related to the BH presentation.....riiiggghhhhtttt.

  • 0siris, on 10/12/2007, -13/+6Everyone? I count 30 diggs... front page already..
    Gotta love the Apple Section.
  • Crypty, on 10/12/2007, -12/+5Didn't some apple fanboy blogger dare those hacker guys to do just this, promising a macbook prize?
    I don't think they ever took the dare, but I guess we know who would have won.
  • tehbishop, on 10/12/2007, -8/+1damn Mac fanboys are as bad as the Neocon bushlovers, what gives?
  • DealCracker, on 10/12/2007, -12/+5Oh noooooooooooo Mr Jobbs!
  • mikeyuf, on 10/12/2007, -12/+4Wow, the story isn't inaccurate yet.. I'll give it time.
  • CBTF, on 10/12/2007, -13/+5What kind of hacker wants a mac?
  • nayr, on 10/12/2007, -23/+12As much as I love apple, I'm not surprised to see this. It was only a matter of time before people started seriously trying to bump the mac from the 'secure' podium. I'm glad to see them coming out and really addressing this.
  • battlecow, on 10/12/2007, -13/+2uhhh.. didnt u geeks alrdy c this video.. ya kno the one where the guy completely pwns a mac computer in the same room using wifi... creates files and deletes em... bout 5 months ago....
  • DealCracker, on 10/12/2007, -15/+3Your and MAC, not a PC!
  • themepsp, on 10/12/2007, -26/+4I think its lame that they did not give credit to David Maynor. What a bunch of babies.. ;( They also did this to me when i reported some flaws in OS X. You can find them here:

    http://security-protocols.com ;)

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.