Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM
Connect Directly

Month of Kernel Bugs Ends in Controversy

The MOKB forced several vendors to patch their wireless drivers, but it concluded today with a debate over the validity of a Mac OS X flaw

The Month of Kernel Bugs (MOKB) project went out with a bang today in more ways than one. (See Kernel Bugs Come Marchin' In.)

After releasing a kernel-related bug per day throughout the month of November, researchers today scrapped plans for a memory corruption bug in the Apple Airport Extreme wireless card firmware that affects Intel-based Macintosh machines, after determining the issue required further research.

Meanwhile, controversy erupted at the eleventh hour over another Apple bug. A Macintosh software developer disputed a critical Apple OS X DMG vulnerability reported by MOKB leader LMH on November 20 that purportedly lets an attacker take over a machine via a Safari browser.

The developer contends that the OS X DMG bug isn't a serious memory-corruption flaw, as the MOKB reported, but is a more benign flaw that basically crashes the system. "It's the boy who cried wolf story all over again, really," says Alastair Houghton, who independently researched the vulnerability. "As for the bug, it's still a significant bug. But probably not a shout-it-from-the-treetops security exploit. The worst a remote attacker could do is, by getting a user to click on a link to a disk image file, cause their machine to 'kernel panic.'

"A user is unlikely to get tricked into doing that more than once, and there is, it seems, little benefit to the attacker from doing that," Houghton says.

Kernel panic, akin to Windows' "blue screen of death," is not as dangerous as a memory-corruption bug, which can allow an attacker with knowledge of a machine's memory layout to execute arbitrary code in the kernel and gain total control over the machine, Houghton says.

But LMH maintains that he said the code execution was a "potential" risk with the vulnerability. "I never said there was code execution right away, but a potential risk, and that risk also exists in others [bugs] that didn't make it to the MOKB schedule, and there will be a risk until DMG-handling is fixed in order to validate the data being read from the DMG disk image."

The researchers have traded barbs in blog posts and disagree on several technical issues surrounding the flaw, including what constitutes a real vulnerability and what does not. No one budged. Houghton argued in one post that LMH's analysis was "flawed" and his conclusions "wrong," and LMH challenged Houghton on several technical points.

Despite the brouhaha over the OS X DMG bug, the MOKB is credited with drawing much-needed attention to wireless driver flaws. The MOKB effort prodded several wireless card vendors to respond with patches to their products this month. MOKB, which borrowed its theme from the Month of Browser Bugs (MOBB) run in July by renowned researcher HD Moore, ran a kernel bug per day through November. Aside from Mac OS X, vulnerabilities were posted for Sun Solaris, FreeBSD, NetBSD, Windows, and GNU/Linux.

"[MOKB] did have an impact, and some vendors have been taking care of patching and contacting me and whoever was related to the initiative for feedback and so on," LMH says.

The wireless driver bugs, many of which were found by researchers Moore, Errata Security CTO David Maynor, and researcher Jon Ellch (a.k.a. johnny cache), got the vendors hopping. D-Link and NetGear, for instance, released their first security patches immediately after the MOKB reported bugs in their systems, Moore notes. "On the wireless side, [the MOKB] was a complete success," Moore says. "Microsoft commented about the Windows one, Apple fixed the WiFi one in record time, and D-Link and NetGear actually responded to the issue."

With regard to the newest Apple bug, which LMH says appears to be a heap corruption issue in the memory, he says he will await Apple's update. "Until Apple releases an update and we verify the issue, I can't release further details. I believe it's better to coordinate disclosure when it's really necessary."

LMH says he's confident he properly verified the MOKB bugs during the month, although he admits there's always room for error. "I had to debug, verify, document, and test once and again each one of the issues and it was a tedious task, prone to errors -- quite probably I did make a mistake somewhere else, but I'm certainly confident about the final results."

So with the new controversy over the Apple MOKB bug and the recent cancellation of the Week of Oracle Database Browser Bugs, could this be the end of the Month of Bugs model?

Not a chance. LMH says he may launch another month of daily bugs, this time for a single vendor.

And other researchers have projects in the pipeline. "A few people have emailed and said they were working on their own, but it's anyone's guess how many of these will actually go through," researcher Moore says.

Moore may launch another one of his own next year, possibly on Apple or wireless bugs, he says. Or he might execute one via his employer, BreakingPoint Systems. "I might do something similar with BreakingPoint -- a new, strange hardware bug every week or something."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.