Apple Airport 802.11 Exploit Published and the Value of HD Moore

from hd moore at metasploit, the apple airport 802.11 exploit, which has just appeared on the month of kernel bugs site:

apple airport 802.11 probe response kernel memory corruption

“the apple airport driver provided with orinoco-based airport cards (1999-2003 powerbooks, imacs) is vulnerable to a remote memory corruption flaw. when the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. this vulnerability is triggered when a probe response frame is received that does not contain valid information element (ie) fields after the fixed-length header. the data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.”

this is going to be an interesting “month of kernel bugs”.

some folks attack hd moore over releasing exploit code. they attack securiteam and milw0rm over publishing exploit code.

honestly? as much harm as hd supposedly causes according to others, he simply shows the world what’s going on all the time, he helps more, by far. by making exploit code public sooner rather than later (it always comes out), he helps (yes, he does) some kiddies write worms and bots, which in turn infect people.
at the same time, he actively protects the rest of us against the numerous other hd’s out there who are not white hat, and attack us by more than just using a mass/popular technique.

he lets us know we are at risk (the vulnerability is there whether it is public or not) and allows us to plan defenses and patch out systems.

the popularized techniques which swarm the internet will always exploit people, and the same ones at that.

in short, it may be easy for analysts to attack hd moore or securiteam for releasing exploit code, but in fact, what he does is protect us all and he should be appreciated. 0days exist, are being exploited in the wild and as things stand we have close to no protection against them (that counts) until we are aware of them.

thank you hd.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.xyberpix.com xyberpix

    Here, here!!!

  • http://www.gartner.com/DisplayDocument?doc_cd=144225 Neil MacDonald

    Security vulnerabilities aren’t treated any differently if there is an exploit around.

  • http://www.BeyondSecurity.com Aviram

    Neil, what makes you say that?
    Microsoft (and most other vendors) treat vulnerabilities with exploit code “in the wild” (= exploit code released in one of the known web sites) as more critical, and they will usual note this in their advisories.

    Specifically, out-of-cycle patches by Microsoft were only released to date when a public exploit code was widely available.

  • http://security.eweek.com Larry Seltzer

    The term “proof of concept” is not for nothing. Often it’s not clear whether a vulnerability can be exploited, and therefore the exploit clearly makes it more serious.