Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/30/2006
07:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Month of Kernel Bugs Ends in Controversy

The MOKB forced several vendors to patch their wireless drivers, but it concluded today with a debate over the validity of a Mac OS X flaw

The Month of Kernel Bugs (MOKB) project went out with a bang today in more ways than one. (See Kernel Bugs Come Marchin' In.)

After releasing a kernel-related bug per day throughout the month of November, researchers today scrapped plans for a memory corruption bug in the Apple Airport Extreme wireless card firmware that affects Intel-based Macintosh machines, after determining the issue required further research.

Meanwhile, controversy erupted at the eleventh hour over another Apple bug. A Macintosh software developer disputed a critical Apple OS X DMG vulnerability reported by MOKB leader LMH on November 20 that purportedly lets an attacker take over a machine via a Safari browser.

The developer contends that the OS X DMG bug isn't a serious memory-corruption flaw, as the MOKB reported, but is a more benign flaw that basically crashes the system. "It's the boy who cried wolf story all over again, really," says Alastair Houghton, who independently researched the vulnerability. "As for the bug, it's still a significant bug. But probably not a shout-it-from-the-treetops security exploit. The worst a remote attacker could do is, by getting a user to click on a link to a disk image file, cause their machine to 'kernel panic.'

"A user is unlikely to get tricked into doing that more than once, and there is, it seems, little benefit to the attacker from doing that," Houghton says.

Kernel panic, akin to Windows' "blue screen of death," is not as dangerous as a memory-corruption bug, which can allow an attacker with knowledge of a machine's memory layout to execute arbitrary code in the kernel and gain total control over the machine, Houghton says.

But LMH maintains that he said the code execution was a "potential" risk with the vulnerability. "I never said there was code execution right away, but a potential risk, and that risk also exists in others [bugs] that didn't make it to the MOKB schedule, and there will be a risk until DMG-handling is fixed in order to validate the data being read from the DMG disk image."

The researchers have traded barbs in blog posts and disagree on several technical issues surrounding the flaw, including what constitutes a real vulnerability and what does not. No one budged. Houghton argued in one post that LMH's analysis was "flawed" and his conclusions "wrong," and LMH challenged Houghton on several technical points.

Despite the brouhaha over the OS X DMG bug, the MOKB is credited with drawing much-needed attention to wireless driver flaws. The MOKB effort prodded several wireless card vendors to respond with patches to their products this month. MOKB, which borrowed its theme from the Month of Browser Bugs (MOBB) run in July by renowned researcher HD Moore, ran a kernel bug per day through November. Aside from Mac OS X, vulnerabilities were posted for Sun Solaris, FreeBSD, NetBSD, Windows, and GNU/Linux.

"[MOKB] did have an impact, and some vendors have been taking care of patching and contacting me and whoever was related to the initiative for feedback and so on," LMH says.

The wireless driver bugs, many of which were found by researchers Moore, Errata Security CTO David Maynor, and researcher Jon Ellch (a.k.a. johnny cache), got the vendors hopping. D-Link and NetGear, for instance, released their first security patches immediately after the MOKB reported bugs in their systems, Moore notes. "On the wireless side, [the MOKB] was a complete success," Moore says. "Microsoft commented about the Windows one, Apple fixed the WiFi one in record time, and D-Link and NetGear actually responded to the issue."

With regard to the newest Apple bug, which LMH says appears to be a heap corruption issue in the memory, he says he will await Apple's update. "Until Apple releases an update and we verify the issue, I can't release further details. I believe it's better to coordinate disclosure when it's really necessary."

LMH says he's confident he properly verified the MOKB bugs during the month, although he admits there's always room for error. "I had to debug, verify, document, and test once and again each one of the issues and it was a tedious task, prone to errors -- quite probably I did make a mistake somewhere else, but I'm certainly confident about the final results."

So with the new controversy over the Apple MOKB bug and the recent cancellation of the Week of Oracle Database Browser Bugs, could this be the end of the Month of Bugs model?

Not a chance. LMH says he may launch another month of daily bugs, this time for a single vendor.

And other researchers have projects in the pipeline. "A few people have emailed and said they were working on their own, but it's anyone's guess how many of these will actually go through," researcher Moore says.

Moore may launch another one of his own next year, possibly on Apple or wireless bugs, he says. Or he might execute one via his employer, BreakingPoint Systems. "I might do something similar with BreakingPoint -- a new, strange hardware bug every week or something."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.