Apple releases AirPort Update 2006-001 and Security Update 2006-005

Apple today released AirPort Update 2006-001 which the company says in its notes “improves AirPort reliability on Macintosh computers.”

Installation note:
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either AirPort Update 2006-001 or Security Update 2006-005.

For reference if installing from a manually-downloaded package:

AirPort Update 2006-001 will install on the following systems:
• Mac OS X v10.4.7 Builds 8J2135 or 8J2135a

Security Update 2006-005 will install on the following systems:
• Mac OS X v10.3.9
• Mac OS X Server v10.3.9
• Mac OS X v10.4.7 Builds 8J135, 8K1079, 8K1106, 8K1123, or 8K1124
• Mac OS X Server v10.4.7 Builds 8J135, 8K1079, 8K1106, 8K1123, or 8K1124

For Mac OS X 10.3.9 and Mac OS X Server 10.3.9 systems, if Software Update does not display Security Update 2006-005, the following updates need to be installed:
AirPort 4.2
AirPort Extreme Driver Update 2005-001

AirPort Update 2006-001 and Security Update 2006-005

AirPort
CVE-ID: CVE-2006-3507

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.7, Mac OS X Server v10.4.7

Impact: Attackers on the wireless network may cause arbitrary code execution

Description: Two separate stack buffer overflows exist in the AirPort wireless driver’s handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges. This issue affects Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue. This update addresses the issues by performing additional validation of wireless frames.

AirPort
CVE-ID: CVE-2006-3508

Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

Impact: Attackers on the wireless network may cause system crashes, privilege elevation, or arbitrary code execution

Description: A heap buffer overflow exists in the AirPort wireless driver’s handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.

AirPort
CVE-ID: CVE-2006-3509

Available for: Mac OS X v10.4.7, Mac OS X Server v10.4.7

Impact: Depending upon third-party wireless software in use, attackers on the wireless network may cause crashes or arbitrary code execution

Description: An integer overflow exists in the Airport wireless driver’s API for third-party wireless software. This could lead to a buffer overflow in such applications dependent upon API usage. No applications are known to be affected at this time. If an application is affected, then an attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into the wireless network. This may cause crashes or lead to arbitrary code execution with the privileges of the user running the application. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issues by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.

Additional info here.

AirPort Update 2006-001 and Security Update 2006-005 are available via Software Update and also as standalone installers (1.3MB) here.

Related MacDailyNews articles:
Apple: Airport fixes issues found via internal audit, not from SecureWorks – September 21, 2006
SecureWorks admits falsifying Apple MacBook ‘60-second wireless hijacking?’ – August 18, 2006
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Hijacking an Apple Macbook in 60 seconds video posted online – August 03, 2006
Hijacking an Apple Macbook in 60 seconds – August 02, 2006

26 Comments

  1. Face, you are so right. It really does. I can’t wait to get home and spend my time using my Mac, instead of spending my time keeping it running like I do all day here at work keeping 10 networked PC’s from Wormploading.

    I’ll just get home, do another occaisonal Apple update, knowing they’re plugging the rare exploits that do come up BEFORE my Mac’s get hijakced like my PC’s do, have it go quick and seamlessly and get back to fun with my Macs and then it’ll be back to trouble shooting the PC’s in the morning.

  2. face said : “gosh, I am stuck on a windows machine at work right now and it SUCKS. I can’t stand these things.”

    ====

    i say, “gosh, I am stuck on a windows machine at work right now and it SUCKS. I can’t stand these things.”…I have less than 30 minutes left, before I head home to my Macbook!

  3. Just a little story I thought I’d share with ya’ll.
    I recently reinstalled my system(10.4 on a 1.5GHz pb) as some program that was supposed to clean up language files cleaned a bit too well.
    Anyhow, my airport extreme was set to wpa2 personal locked to my MAC address. After installing 10.4 I’m stuck with the situation that wpa2 support is included in an update to 10.4 and isn’t available on a freshly installed system, hence i can not connect to my airport and i can not go online and update manually as i have registered the MAC adress of the router with my isp. had to reset the router and do the setup all over again, major pain! Now i have all the updates on my linuxserver just in case ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />

  4. The exploit the update describes is exactly the same thing the “hijacked MacBook” guys were claiming. Saying that Apple was leaning on them to not release more info doesn’t automatically make them liars. Looks like they just got validated. Shame on all who tore them a new one.

  5. Don., stop spreading the FUD! From the advisory itself:

    Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way.

    “They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,” Apple spokesman, Anuj Nayar, told Macworld. “Today’s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.”

    MDN, you guys need to update the main article with this very important piece of information! This is serious, because the FUD pushers are going to go crazy like a cat on catnip on this one thinking they’re “right” when it actually confirms once again that SecureWorks provided absolutely zilch to Apple on the wireless security issue.

  6. Hate to say I told you so

    but does this AirPort/security update have anything to do with the “hijacked MacBook” at the Black Hat conference?

    Yes it does.

    http://news.com.com/2100-1002_3-6118245.html?part=rss&tag=6118245&subj=news

    Apple should be doing more testing of it’s software, they are not out of the woods quite yet.

    The new iTunes 7 for instance, the boyz are having fun with that right now. Still can’t get root access though, except through another program that does.

    I wish Apple would employ more compartmentalized security.

    Does one password and key card get you access to the entire Pentagon? Of course not.

    Here’s some good info

    http://www.macgeekery.com/tips/security/basic_mac_os_x_security

    Guess John Gruber owes those Black Hat hackers a apology.

  7. Wrong!

    Stop trying to obfuscate the issue. Apple, once again, explicitly has said that SecureWorks failed to provide any information on their so-called exploit.

    Apple, however, was concerned enough to initiate an internal audit and discovered 3 vulnerabilities not related to the one the SecureWorks claimed it found.

    It’s like SecureWorks claimed it can break into a house because it found one of the windows unlocked. Apple (the homeowner) checks all the windows and finds their are locked, but in the process discovered the lock on the back door is broken. Is that so hard to understand?

    Apparently, for SecureWorks fanboys who think no information = proof, it apparently is. John Gruber owes nobody anything, especially since this proves that SecureWorks is still not acting like a security company should.

  8. From the very News.com article that l33th@xx0z hasn’t read himself:

    “In a statement released after Black Hat in August, Apple critiqued SecureWorks for saying Macs were insecure. “Despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is,” a company representative said at the time.

    But Apple’s security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, the representative said.”

    Also, it should be noted that John Gruber never claimed Apple’s wireless protocols were invulnerable. What John Gruber showed was SecureWorks’ claim was full of BS. It apparently strains the nerve cell of SecureWorks fanboys to see the difference between these two statements, but the two are very different things.

    Ironically, the only people claiming Apple’s security is invulnerable are SecureWorks fanboys, who need to invent the claim in order to “prove Apple wrong.” Hello! Apple never claimed – ever – that its security was foolproof, just that SecureWorks was full of BS.

    To date, SecureWorks still has been unable to specify the vulnerability. Meanwhile, in the time that SecureWorks has been “suppressed by Apple legal,” Apple somehow manages to find 3 unrelated vulnerabilities on its own and patches them.

    Yeah, SecureWorks: “We can’t even demonstrate our own security finds!”

  9. Guess John Gruber owes those Black Hat hackers a apology.

    Gruber owes the hackers precisely jack s–t. The hackers are lying sacks of crap and Apple’s internal audit changes that not one bit. Oh, and if the hackers disagree with me, they are always free to take Gruber up on his challenge and prove him wrong.

  10. Dear NewType and LordRobin,

    What we have here is a classic case of misinformation.

    Fact is Apple DID issue a security update that DOES FIX wireless exploit(s) in Apple hardware/software.

    What do you think a “black hat” is anyway? Be glad they wanted to piss you off or nobody would have known.

    Have either of you worked for Apple security channels? Then you’ll know they want YOU to find the bugs.

    Apple is notoriously lazy when it comes to checking their code.

    For instance the launchd exploit, a malformed line of code that left all 10.4-10.4.6 Mac’s completely vunerable. Could have been easily caught if code checking software was used before release.

    Here again is a update for wireless software, because APPLE DID A INTERNAL AUDIT.

    Now why didn’t Apple do this BEFORE RELEASING THE CODE?

    SecureWorks did the right thing, they forced Apple to do their own work..

    Kudo’s to SecureWorks!!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.