Apple's scariest bug this week: Your device pwned over Wi-Fi

The iMessage vulnerability got a lot of attention, but another bug allows for remote execution over Wi-Fi, which is a much bigger threat.
Written by Larry Seltzer, Contributor

Apple released new versions of several operating system products earlier this week, fixing vulnerabilities in OS X El Capitan and iOS 9 among others.

Because encryption and Apple are big news these days, the attention mostly went to an admittedly interesting flaw in Apple's encryption for iMessage, reported by a research team, led by well-known cryptographer Matthew Green. But the bug is not an easy one to exploit and doesn't even expose a lot.

There are much scarier vulnerabilities in this week's disclosures. Perhaps at the top of the list are CVE-2016-0801 and CVE-2016-0802, attributed to an anonymous researcher. Through this bug "[a]n attacker with a privileged network position may be able to execute arbitrary code."

In fact, the bug is in a Broadcom Wi-Fi driver as described on source.android.com in the fix it issued on February 1:

Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel. These vulnerabilities can be triggered when the attacker and the victim are associated with the same network. This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.

Now that's scary! You're on a Wi-Fi network, perhaps a public one but not necessarily, maybe even on a VPN, and any other user on that network can cause your computer to execute kernel-level code. It doesn't get much more vulnerable than that. Patch. Right. Now.

We wrote about the Android fix at the time. That means for almost 7 weeks this bug was disclosed and vulnerable in iOS, OS X, tvOS and WatchOS, not to mention who knows how many other companies' products. The Android disclosure comes with helpful links to the source code fixes, perhaps making things easier for attackers.

And remember, these bugs were disclosed by the Android Project along with fixes for Google's Nexus devices. What about other devices where the fixes are issued by carriers? I see no fixes since then for my AT&T Samsung Galaxy S4.

The best advice I can give you, as I would have given you anyway, is to patch quickly. If patches are not available, then cross your fingers. That's about all you can do.

Editorial standards