Security flaw in some older AirPort cards�

Researchers have discovered, demonstrated and documented (though perhaps not responsibly) a security flaw that affects the old Apple Airport driver, provided with Orinoco-based Airport cards ( used in 1999-2003 PowerBooks, iMacs)

Again, this bug only affects regular AirPort (802.11b) cards, not the AirPort Extreme (802.11g) cards that have shipped in all equipped Macs since 2003. In addition, the bug requires that the vulnerable system be placed in active scanning mode -- usually through the use of a wireless sniffer like KisMac.

Active scanning mode has a number of disadvantages, including a more limited range and ability to see fewer access points relative to passive scanning.

The "Month of Kernel Bugs" site reports:

"When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values."

Feedback? Late-breakers@macfixit.com.

Resources