One of my readers who is a customer of Gateway computers sent me this interesting exchange with Gateway tech support about the recent critical Broadcom Driver flaw. We'll refer to our reader as "Kausik" and I've masked out some information for privacy reasons.
[Kausik writes to Gateway]
Issue Description One: It has long been in the news that a critical flaw in the Broadcom Wireless driver could allow a wi-fi hijack (more information here and here). The affected Broadcom driver runs networking hardware on Microsoft Windows-based computers sold by Hewlett-Packard, Dell, Gateway, eMachines and others. HP has reportedly already issued a patched driver to its customers. I would like to know why such a patch is not forthcoming yet from Gateway. Does Gateway not care for its customers?
[Gateway tech support]
Thank you for your e-mail. Regarding your concern on the Broadcom Wireless driver that could allow a Wi-Fi hijack, I would like to inform you that there are currently no known issue or documented history on this computer. (emphasis mine) Gateway would like to thank you for bringing this matter to our attention. Rest assured, that I would be noting this in my documentation to serve as a reference in the near future should an issue related as such occur. Your opinions and comments are very important, as they assist us in constantly improving our service performance and product quality. I hope that the information provided is relevant to your concern.
[Kausik writes to Gateway]
Dear Bryant, (Gateway support person),
Thank you for your reply. I am afraid I have to disagree with you strongly, and request that this issue be immediately notified to your supervisor or someone responsible in tech support. The vulnerability issue with the Broadcom wireless driver is very real, and someone qualified to understand the issue can check it out at the websites I had mentioned before, in my first support request (namely, at ZDNet news, here and the Month of Kernel Bugs project website here)
Bryant, you must be a wonderful person and I have nothing against you personally, but from your blanket response, it is clear that you do not have the necessary expertise to deal with this issue. Therefore, it is my polite request to have this issue escalated forthwith. I have always had very nice interaction with Gateway, and I make this request on the strength of that.
HP has already provided a patch for the driver for their customers, and so has Dell. For other systems including Gateway, a temporary workaround is available using a patched Linksys driver and Symantec has recommended it, but that is not the permanent solution. The Linksys driver causes Machine Check Exception BSOD issues on Gateway systems.
Bryant, it may be that you have no idea what I am talking about, but there will probably be people who would understand the seriousness of this issue. May I request you (or your replacement representative) to kindly forward this issue to appropriate quarters? The sooner it is done, the better it is, because right now Gateway customers are feeling very left out and let down by their favorite computer brand. I hope someone will see reason.
[Gateway tech support]
I apologize for any misunderstanding. I have already forwarded your issue to our proper channels upon receipt of your first email. Rest assured that our specialist in the same field are currently researching this issue.
However, the patch you are asking may require some time, as it will undergo several levels of testing. To allow Gateway to ensure customer satisfaction, updates are not posted on the website until they have been through rigorous testing to ensure the update is compatible and will not cause any instabilities with the system.
If you wish to check the possible resolution to this problem, I recommend that you email us back from time to time regarding this issue and I will be glad to share you the results if it is already made available.
I understand how important this issue can be and I am glad on your eagerness to resolve this problem.
... (more of blah)
This is truly a sad state of affairs in the hardware world which seems to be in a state of denial about the critical nature of device driver flaws. So far, HP is the only vendor to put out a Windows Certified patch on Windows Update that people can easily update. My only gripe with HP is that they didn't put out a security advisory so that their customers would know that they have to apply that patch since it isn't considered a "critical update" that gets automatically pushed out. Even so, HP is head and shoulders above everyone else.
Linksys came out second with an unsigned driver that has to be manually installed which is a bloated 13.5 MBs when the driver itself compresses to half a megabyte. You can forget about Windows Update with Linksys. Dell came out a week later with their own mega-bloated driver weighing in at 52 MBs with a bunch of stuff you don't need or want when the driver itself is only 500 KB compressed. Dell at least noted that this patch was "urgent" on their download page while Linksys made no mention of the critical nature of this patch. As with Linksys, you can forget about Windows Update with the Dell Broadcom adapters.
Gateway of course responded "what issue" when asked by our friend Kausik but later responded that they're still working on it. All the other vendors who use Broadcom are nowhere to be seen on this issue. Until customers start revolting and start demanding that their hardware vendors take these issues seriously, this kind of reckless response on critical driver flaws will be the norm. If you have a vulnerable Broadcom chipset (determined by the existence of BCMWL5.SYS before version 126.96.36.199), contact your hardware vendor and feel free to contact me and tell me your experiences if they give you the runaround. I'd be happy to shame them in public for you.
Broadcom provided the fix for the reference drivers nearly 2 months ago in October, there is no excuse for the lack of a patch in late November. What really irks me is that the vendors have refused to permit Broadcom to distribute reference drivers and Broadcom is forced to honor their customer requests since they don't sell directly to the public.