Zero-day exploit released for unpatched Apple Airport Driver!
The MoKB (Month of Kernel Bugs) has started and a zero-day kernel-level exploit for an unpatched Apple Airport Driver has been released to the public with a full proof-of-concept. The flaw was found by HD Moore of the Metasploit project and it will be rolled in to the Metasploit 3.0 project which is a powerful penetration testing suite
The explanation given to me by members of the research community for this sudden disclosure was that these exploits are always "imaginary" to Apple and there are no exploits for the Mac. This is compounded by the fact that the Apple community has insisted that anyone talking about an Apple exploit without releasing proof of the exploit must be frauds. The Kernel Fun blog which released this exploit is related to the MoKB also cited a blog I wrote about Apple refusing to give credit to security researchers where Apple admitted they got the information that prompted an internal audit leading to a patch but refuses to give any credit to the researchers. Brian Krebs who broke that original MacBook hack story from Black Hat also has additional coverage of this this latest exploit. Krebs also posted a transcript of some questions he had for HD Moore.
Brian Krebs writes:
The vulnerability is the first in a series of daily bug details to be released over the next 29 days as part of the "Month of Kernel Bugs" project. LMH said we can expect at least five more Apple kernel bugs to be detailed in the coming days, as well as kernel flaws in Linux, BSD, and Solaris 10 systems.
[UPDATE 3:30PM, reader "V-Train" points out that only some PowerPCs are affected so I've fixed this paragraph] According to Brian Krebs, Apple's Lynn Fox told him that "We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs." But the flaw affects all "Airport enabled Macs" which are the PowerPC based Macs that comprise roughly half of the Mac market. The "AirPort Extreme enabled Macs" are used in the newer Intel and PowerPC based Macs. But with potentially five more Apple kernel bugs coming out this month, the newer Macs may not be spared either.
This is only the beginning shot for the Month of Kernel Bugs and this Airport exploit may only be the tip of the iceberg for Apple. Apple may not be the only company affected and there will be more disclosures to come.
[Update 2:20 PM]
John Gruber has already begun spinning the news of this latest Apple flaw stating that it only affected older Macs and that "the published exploit only works when the card is in active scanning mode, so even if you have a vulnerable machine, you won’t be vulnerable in normal use."
The problem is that Gruber does not realize how easy it is to force any wireless client in to active scanning mode. There are common wireless hacking tools that can easily kick any client off of their access point and force them to search for access points which is "active scanning mode". This means the attack can be launched at will at any time.