Daring Fireball’s John Gruber writes, “With a headline like ‘Hijacking a Macbook in 60 Seconds or Less,’ or his quote from exploit co-discoverer David Maynor saying ‘if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,’ where would anyone get the idea that the point of Krebs’s post was to pick on Macs? Or, more accurately, to generate a sensational amount of attention by playing off the Mac’s sterling reputation for security?
Gruber asks, “Did Krebs see the exploit work against a MacBook’s built-in AirPort card? He says he stands by his reporting, but he did not report that the exploit works against the MacBook’s built-in AirPort driver; he reported that Maynor and Ellch told him that it works against the MacBook’s built-in AirPort driver. ‘I stand by that they told me the built-in driver is expoitable’ is very different than ‘I stand by that the built-in driver is exploitable.’
Gruber writes, “If it’s true that this exploit does work against the MacBook’s built-in AirPort driver, it’s one of the most serious security exploits ever discovered against Mac OS X. Basing their demo video on a third-party card makes matters worse, not better, because it creates the perception that the majority of MacBook users are safe because they aren’t using third-party cards.”
Gruber writes, “Krebs’s shoddy reporting leaves nearly all the important questions regarding this exploit unanswered. What about other models? Are MacBook Pros exploitable as well? PowerBooks? iBooks? Desktop Macs that use AirPort? Is a Mac vulnerable in its default out-of-the-box configuration? For example, by default, Mac OS X is configured to ask for confirmation before joining an unknown open Wi-Fi network. Does this exploit require that this setting (in the Network panel in System Preferences) be changed to allow joining unknown open networks automatically? Are any other changes to the default networking configuration required to allow this exploit to work? Is there anything Mac users can do to protect themselves other than completely disabling AirPort?”
Full article here.
[Thanks to MacDailyNews Reader “Rainy Day” for the heads up.]
MacDailyNews Take: What exactly is going on here? Any ideas?
Related MacDailyNews articles:
Hijacking an Apple Macbook in 60 seconds video posted online – August 03, 2006
Hijacking an Apple Macbook in 60 seconds – August 02, 2006