Apple And SecureWorks To Work Together

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,799
8,966


According to Macworld, Apple and SecureWorks have begun working together, almost two months after two SecureWorks researchers demonstrated a third party wireless driver exploit in Mac OS X at the Black Hat security conference.

"SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues," SecureWorks said in a statement provided to Macworld. "We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate."
Last week, Apple issued Security Update 2006-005 which addressed three security issues related to AirPort. Two of the updates dealt with built-in AirPort driver vulnerabilities that, when attacked, could allow privilege escalation, arbitrary code execution, or system crashes. The third update dealt with a third party driver vulnerability that could cause similar symptoms, but as no known exploit was mentioned for any of the vulnerabilities, it is doubtful that the update addressed the SecureWorks researchers' findings.

Digg This
 

milo

macrumors 604
Sep 23, 2003
6,887
511
Were those the guys who claimed that they found a vulnerability...but it turned out they could only hack in using third party hardware connected to the mac that had its own vulnerability?
 

kf4wvk

macrumors newbie
Jun 17, 2003
4
0
After I installed this update on my PowerBook G4 and my PowerMac Dual G4, both systems locked up within 24 hours, and they haven't done that in several months. My recommendation is to wait and see if a fix for this patch comes out that makes the code more stable.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
37,413
3,522
Los Angeles
I'd prefer to see security problems reported privately to Apple before they are generally known, but it's very hard to tell if Apple promptly fixes problems that they find are serious.

There are multiple reasons that many (all?) of these "vulnerability" discoveries eventually go public and why news of them spreads around:

1. People who find them want credit for finding them.

2. People who find them may be genuinely concerned that the software vendor won't fix the problem unless there is public pressure to do so.

3. Some feel that the public has a "need to know" that outweighs concerns that reporting a problem will encourage exploits of it.

4. People who find security problems may be trying to sell a security product to fix what they report.

5. It's often unclear when an exploit is theoretical only, when it is of real concern, how widespread its effect might be, or if the danger is being misrepresented. For example, if a website has posted a bad-intentioned application and people download it, ignore warnings or signs of trouble, and invoke it anyway, some may call it a "security hole."

6. Some people enjoy passing around news of potential problems because they don't like the "bulletproof" image many ascribe to Mac OS X.

7. News and rumors sites, including MacRumors, report when security issues are being publicized by others.

8. Some people pass along security warnings, whether or not they are of real concern, because they don't understand them.
 

termite

macrumors member
Oct 30, 2003
95
7
Doctor Q said:
1. People who find them want credit for finding them.
If you read the details of every security update, Apple lists the security holes plugged and ALWAYS credits whoever discovered the problem if it was discovered by a third party.

The recent Airport security fixes did not credit SecureWorks since the fixes were a result of an internal review by Apple. I don't beleive a word SecureWorks says (since they faked the vulnerability just to be anti-Mac zealots) and won't change that point of view unless I see a credit on a security update.
 

realtime

macrumors newbie
Mar 3, 2005
9
0
termite said:
If you read the details of every security update, Apple lists the security holes plugged and ALWAYS credits whoever discovered the problem if it was discovered by a third party.

The recent Airport security fixes did not credit SecureWorks since the fixes were a result of an internal review by Apple. I don't beleive a word SecureWorks says (since they faked the vulnerability just to be anti-Mac zealots) and won't change that point of view unless I see a credit on a security update.
Most likely they didn't submit a bug report to Apple, but went public with it first... for fame and glory. Apple read their "report", and preemptively audited the drivers themselves. Hence, Apple's fix might very well be to address the same issue(s), but SecureWorks didn't care to follow the rules for bug submission and weren't credited for the discovery. My guess is Apple Legal slapped them for potential libel, and gave them a swift "gag order" until they could complete their own investigation.

Fark 'em if they can't take a joke... but my guess is that the actual issue did exist and the exploit was real, and it probably did affect native drivers as well as 3rd party. By making it public, SecureWorks set themselves up as liable for damages, which could have been in the $billions. The broadcast demo used a 3rd party wireless card in an effort to skirt the issue (ie Apple Legal).
 

fixyourthinking

macrumors 6502a
Oct 24, 2002
665
0
Greenville SC
realtime said:
Most likely they didn't submit a bug report to Apple, but went public with it first... for fame and glory. Hence, Apple's fix might very well be to address the same issue they discovered, but SecureWorks didn't care to follow the rules for bug submission, so they weren't credited for the discovery.
I think the real question in everyone's mind was how it was reported as "Hijack a Macbook in 60 seconds"

I also question the reporters behind it ... trying to pick fights by not even providing general information.

Had they not done the little video and then gotten George Ou (a goon) to follow up reporting ... I doubt there would have been so much drama.
 

sonictonic

macrumors 6502a
Mar 25, 2006
935
0
Central Coast, California
speakerwizard said:
but i thought they faked it

Seriously. I don't get this. I thought that they were only able to do this "exploit" with a 3RD PARTY wireless adapter, with the Apple notebook's own BUILT IN wireless shut off!

Am I wrong?

And why the hell would anyone turn off their MB/MB Pro's wireless card to use some 3rd party one? Makes no sense to me. :confused:
 

Corrosive vinyl

macrumors 6502
Sep 22, 2006
473
0
expination?

Can someone explain why everyone is saying that they were lying about the airport vulnerabilities? And what does this company do?
 

Rocketman

macrumors 603
I agree with poster "realtime".

It is consistent with Macworld ( a reputable source) reporting Apple is now working with them.

It also makes sense to use geeks to reduce the time to address the actual holes specific to Apple drivers as this is a really arcane area.

And important too, as wireless 802.11.X (a,b,g,n) is becoming pervasive.

I ask again. How much did Apple pay them, if any?

Isn't that in a 10Q or something? It relates to financial performance since it avoids a lawsuit.

Rocketman
 

Rocketman

macrumors 603
Corrosive vinyl said:
Can someone explain why everyone is saying that they were lying about the airport vulnerabilities? And what does this company do?
They used a non-Apple wireless card to demonstrate and disclose the exploiit (using a methodology they refused to disclose), and some say that was not applicable to Apple hardware as a result. Others say it was applicable to Apple as well but the disclosure was made with third party hardware to avoid a lawsuit from Apple.

Rocketman
 

artifex

macrumors 6502
Nov 1, 2003
336
0
kf4wvk said:
After I installed this update on my PowerBook G4 and my PowerMac Dual G4, both systems locked up within 24 hours, and they haven't done that in several months. My recommendation is to wait and see if a fix for this patch comes out that makes the code more stable.
So what if they're locked up, they're obviously more secure that way. :)
It's just a little inconvenience... :)
 

JonJ

macrumors newbie
Sep 30, 2006
11
0
Norway
termite said:
Wow, that has to be the most sensationalist headline where the actual article itself provides no proof what so ever. That source isnt news, its just one indignified mac user. The reason for using two network cards was that its somewhat related to timing. It just makes it easier to show that its possible if you use two cards. The vulnerability was present on all platforms(Windows, OSX, Linux, dunno about the other BSDs), and Intel had already patched the problem on the other drivers.
 

aegisdesign

macrumors 6502a
Apr 19, 2005
874
0
If you've the time to kill, http://www.daringfireball.net has a very verbose set of articles on the subject but basically it comes down to Secureworks saying there's an exploit, loads of Windows drones saying 'HaHa' and everyone else saying, 'OK, if there's an exploit, show us your data'.

If SecureWorks were professional, they'd have shown Apple, Atheros, Broadcom, Intel et al before announcing an exploit. Despite months of asking, it seems they've still not so Apple audited their code themselves without SecureWorks input.

JonJ said:
Wow, that has to be the most sensationalist headline where the actual article itself provides no proof what so ever. That source isnt news, its just one indignified mac user. The reason for using two network cards was that its somewhat related to timing. It just makes it easier to show that its possible if you use two cards. The vulnerability was present on all platforms(Windows, OSX, Linux, dunno about the other BSDs), and Intel had already patched the problem on the other drivers.
As I understand the hack, you need two cards to flood the drivers with enough packets. The exploit doesn't work with just one card. So for most people the exploit is pointless.
 

rahrens

macrumors member
Sep 21, 2006
83
0
People's Republic Of Maryland
it's a timing issue

aegisdesign said:
If you've the time to kill, http://www.daringfireball.net has a very verbose set of articles on the subject ...

As I understand the hack, you need two cards to flood the drivers with enough packets. The exploit doesn't work with just one card. So for most people the exploit is pointless.
Actually, the Brian Krebs Watch (http://briankrebswatch.blogspot.com/) has a good set of links to a variety of sites with different attitudes and takes on the issue. I strongly advise looking them over if you are interested.

Also, as to the original hack.

Maynor stated in the video that he was using the third party card to avoid exposing the built-in card/s manufacturer from exposure. Which is a crock, because the name of that manufacturer is publicly known, so that was no protection.

He did NOT state in that video that he was using both cards. Ellch later stated on another blog that they had to use two cards, one to create the original connection to allow code to be dropped for a call back, and the other one was used in the demo to speed up the demo, cause the hack crashed the first card. Using the second for the callback allowed them to make the demo look better.

That is the main reason so many folks in hte Mac world object to the demo. Not only did they rig the MacBook with a second card (just to make the demo look better), but they didn't tell us in the demo that was part of the methodology. Plus, there has been speculation that they may evewn have created their own drivers to enable the hack. It is known that they caertainly couldn't use the same code for attacking just any machine. Ellch admitted in his blog entries that they had to create different code for each brand card.

Not exactly a field grade hack, now is it? However, it does demonstrate a class of vulnerabilities in the wireless world, which was supposed to be their point.

But the way they seemed to focus on the Mac platform (especially with their ill-advised comment about cigarette butts and Mac users' eyes) muddied the waters, especially after Maynor alledged in a later interview with the Washington Post blogger Brian Krebs that the native drivers in the MacBook were vulnerable to the same hack.

So now it stands that nobody knows where the fix stands.

SecureWorks has admitted that the demo was not about the native drivers, Apple says that neither SecureWorks nor Maynor & Ellch (M&E) have provided them with evidence of the vulnerability in Mac drivers, and now neither M nor E is allowed to talk about it at all.

Many of us that have been following the story on the blogs have readily admitted that the native drivers are probably affected, but M&E never provided any code to Apple to prove their point. But this new collaboration seems to underline the possibility that not only are they vulnerable, but that SecureWorks now has provided Apple with enough proof that they are willing to work with SecureWorks to fix it.

Did SecureWorks find evidence that M&E were holding back for ToorCon that should have been provided to Apple weeks before? And then provided that evidence to Apple separately from M&E in order to get Apple to work with them?

Could that be why M&E were prevented from giving their talk?

:confused: