Apple fixes Mac Wi-Fi flaw
The Mac OS X Wi-Fi flaw Apple fixed on 24 Jan was first disclosed as part of the Month of Kernel Bugs in November. Attackers could exploit it to crash the targeted system.
In his original advisory from the Month of Kernel Bugs, LMH said Apple's Airport Extreme driver fails to handle certain beacon frames, leading to out-of-bounds memory access and resulting in a so-called kernel panic.
Apple said in its 305031 advisory,"An attacker in local proximity may be able to trigger a system crash by sending a maliciously-crafted frame to an affected system."
The problem affects the Core Duo version of Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Other systems, including the Core 2 Duo versions are not affected. Apple said its security update addresses the issue by performing additional validation of wireless frames.
LMH is now engaged in a Month of Apple Bugs project. His two "Month-of" projects were inspired by the Month of Browser Bugs project launched by Metasploit Framework creator H.D. Moore in July.
In a recent interview conducted by email, LMH explained his motivation to disclose flaws in this manner.
"It's better to have someone disclosing your security flaws than having them known by the bad guys only," he responded. "This pushes the vendor to change its procedures and policies for vulnerability handling and disclosure. And that's where users benefit."
However, some security experts have criticized such disclosure projects as something designed more for press attention than better security.
