Apple released an update on Thursday to fix three critical flaws in its Airport wireless drivers that could allow attackers to remotely take control of a desktop or laptop Mac OS X system.
The Mac maker could not immediately be reached for comment, but in a statement published in media reports, denied that any of the flaws matched the one allegedly found by two security researchers and demonstrated in a video presentation at the Black Hat Security Briefings in August. The researchers, David Maynor of SecureWorks and graduate student Jon Ellch, showed off ways of detecting specific wireless drivers using fingerprinting techniques and claimed that, through fuzzing, that at least four vulnerabilities in various drivers had been found. One of those vulnerabilities was in a wireless driver for the Mac OS X, the duo said.
In published statements, Apple denied the information about these particular vulnerabilities came from Maynor or Ellch.
"They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit," Apple spokesman, Anuj Nayar told Macworld. "Todays update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac."
Maynor's and Ellch's claims--paired with media reports that focused on their choice of an Apple MacBook as the target--resulted in condemnation from the Mac community, most of who voiced disbelieve of the researchers claims. Last month, one Mac user challenged Maynor and Ellch to show their exploit for the vulnerability they claimed was in the operating system. The two researchers did not take up the gauntlet.
CORRECTION: The article had included the wrong affiliation for Jon Ellch. As previously noted, he is a graduate student and security researcher.
Posted by: Robert Lemos