Sam Pierson wrote:

> First, one should assume that root-level tasks are likely, because the
> exploited software is running in the context of the *kernel*. Just
> because they moved some files around doesn't imply that other tasks
> aren't possible. If someone has an Apple document describing how
> device drivers don't operate in kernel space, I'd really like to read
> it. I don't see how the shell could be anything other than root.
>
> Also, I'm not convinced the above fix would help anything at all. The
> exploit lives in the device driver and happens as the driver reads the
> packet. As far as I know, those "preferred networks" live in higher
> layers (I'll let you know when I get to this part in OS X Internals).
> How can they decide to drop packets based on AP identification without
> first passing that packet through the driver? The device would have
> already been exploited just by reading the packet! What network
> you're on, in theory, has nothing to do with it.
>
> I wouldn't trust any source claiming to mitigate this threat without
> knowing that they've tested it against the original proof of
> concept... everything else is just theoretical.

Unfortunately, due to the method and manner this potential exploit was
revealed, there exists a dearth of empirical data to better understand
it.

Until Apple or other security researchers study this potential issue and
publish their findings and/or produce a fix, everything about this
potential issue is theoretical.

We can only suggest mitigation using general security practices, or pass
on any trusted information we have available.

Todd D. Woodward
Product Support Analyst
Security Response Researcher
Enterprise Macintosh Products
Symantec Corporation
Springfield, Oregon
www.symantec.com
-----------------------------------------------------
Office: 541-335-7441
Email: todd_woodward (at) symantec (dot) com [email concealed]
-----------------------------------------------------
Because innovation drives Symantec: We lead in ways that inspire
others.

[ reply ]