It's likely that Apple would be able to patch this quickly, as their September update covered a general category of malformed frames. The security team is probably now well aware of how to fix this kind of exploit. I'll guess we'll see an updated by Dec. 10 unless Apple deems this a much worse or much less severe problem than how it's being described now.

Security Update 2006-007 has six different versions, but the AirPort Card was only ever available for PowerPC computers--Mac models released between 1999 and 2002 could accept the card--but Intel-based Macs include fixes to other bugs and weaknesses in this package. The security update is available in client and server flavors to patch 10.3.9 and 10.4.8.

You can download the patches manually or simply use Software Update from the Apple menu to get the appropriate release for your system.

The approach as published works only with the AirPort Card, the internal 802.11b Wi-Fi adapter for Macs introduced in 1999, and used in all Mac models introduced until late 2002. Apple stopped selling the AirPort Card some time ago - much to the dismay of people whose adapter died on an otherwise usable computer. All Mac models introduced in 2003 and later sport a slot for AirPort Extreme (802.11g) networking; the AirPort Extreme Card slot is not compatible with the original AirPort Card.

Further, the developer of the attack notes that the exploit works best when a Mac has been placed into active scanning mode, which requires a command-line tool included with Mac OS X or the KisMAC utility. In a brief interview with Brian Krebs of The Washington Post's Security Fix blog, the exploit developer told Krebs that he found some vectors for breaking Macs with AirPort Cards that were in an idle, non-associated state, but hasn't produced results he wanted to discuss yet.

The exploit was published as a recipe for reproduction, more or less, so it's not embedded in a prefabricated application designed simply to crash computers, but it will be incorporated into the open-source Metasploit framework, which is a system to stress-test software and operating systems in an automated fashion using malformed packages of data and other techniques. (At this writing, the developers say it's part of Metasploit, but I don't see an item representing it in the list of modules.)

The Month of Kernel Bugs (MoKB) uses a small set of standard tools that stress test operating system kernels by generating massive amounts of arbitrary input - fuzzing - which can be associated with resulting errors on the attacked computer to figure out what input caused which exploitable errors or crashes. The project says they have five more Apple kernel bugs that will appear over the next 30 days. (No additional Apple bugs have appeared as of this writing.)

In a fairly irresponsible move, the MoKB coordinator said there will be no advance notice to the makers of affected systems in any systematic way prior to release of the exploit. Exploits that are released on the day the vulnerability is identified are called "zero-day exploits." In the security world, this is considered bad form, somewhere between taking a dump in a swimming pool and selling drugs to children. There's little reason to not provide advance information to affected parties unless you're trying to be clever, instead of smart.

The justification by the MoKB coordinator, identified only as LMH, is the tired old "Apple doesn't listen to security flaws and pretends it doesn't have any" argument. The industry soap opera that began in August, "To the Maynor Born: Cache and Crash," apparently has led many hobbyist and professional security researchers to decide that Apple systematically denies security flaws when they exist. In the case of that saga, it's fairly clear that only a handful of people have actually seen what was alleged to have been given to Apple, which means that relying on that case as an example of Apple ignoring security issues or misusing security researchers requires second- or even third-hand knowledge. (Apple told Krebs that they are investigating this latest AirPort flaw, which they learned about "recently.")

In comments to a post about this on LMH's Kernel Fun blog, he or she writes, "It's actually a matter of time to demonstrate that all the pro-Mac paranoia is just plain useless. Apple does good stuff indeed, but they obviously do [make] mistakes as everyone does." It's hilarious that anybody credible thinks that vocal Mac zealots represent the interests of the entire Mac community. A more realistic view by an experienced Mac user can be found as the second comment (by Dave Schroeder) on Ryan Russell's blog entry on this exploit.

May I state for the record as a regular reporter on Macintosh matters that I don't reflexively believe that Mac OS X is invulnerable? In fact, I have written regularly about flaws that are reported, and about the risk that we face as a community of users that lack immunity. While Apple has built its operating system on a strong foundation, that in no way precludes exploits that use vectors that weren't considered.

Your high-level takeaway? No Mac model that shipped beginning in 2003 nor older Macs without active scanning enabled are known to be vulnerable. The vulnerability requires a nearby user, too, or one with a high-gain antenna who can reach your computer. I'm guessing Apple patches this relatively quickly for Mac OS X 10.3 and 10.4 users, and that they'll be working overtime to stay on top of other MoKB announcements.

EAP methods allow a username and password or other credentials (such as a smart card swipe) to be passed through a wireless or wired gateway to a backend server that authenticates the validity of the credentials--that the password is valid or the smart card is authorized. Once that's approved, the user trying to gain access is given access. Before then, they're sort of shunted to the side in a way that only allows them to petition for access. This provides a pretty high level of security.

Unfortunately, EAP isn't secured, meaning that any of the data sent via EAP is passed in the clear. Various methods of secured EAP encrypt the authentication part, so that credentials aren't revealed to snoopers. The most widely used form of secured EAP is PEAPv0 (Protected EAP version 0), a method that's found in built-in software in Windows XP SP1 and later and in Mac OS X 10.3 and later. It's also available through free and commercial software for Windows, Linux, and handhelds.

Cisco has a document that describes EAP-FAST and its use, and its limitations.

The big news of the last few months has been the alleged security flaws uncovered by two researchers that would allow a network cracker to access a system running Mac OS X (along with some Wi-Fi adapters not yet identified used with Windows) by sending particular sets of data that would cause the AirPort driver to either crash the Mac, run some code it was sent, or allow a cracker access at a level that no one but a system administrator should have access.

There's dispute over whether the researchers provided information to Apple that led to Apple releasing patches last week that fix flaws that sound quite similar. The researchers have not directly stated publicly that they provided enough information to pinpoint the flaws; Apple says explicitly they did not. We'll leave that to whomever needs to figure out credit.

For detailed information on the history of this, you can read my coverage at Wi-Fi Networking News in the Security category.

For the purposes of this AirPort blog, I advise everyone running Mac OS X 10.3 (Panther) or 10.4 (Tiger) to use Software Update to install the appropriate AirPort patches immediately. These patches should make it currently impossible (to the best of Apple's ability to test) to use this entire category of attack to crash or hijack a Mac. Apple says no exploit code was found, but that these patches obviate any future exploitation of this kind.

The new version is a universal binary and supports Intel iMacs, but still lags in the code necessary for the slightly different Wi-Fi chips found in the MacBook Pro and Intel Mac minis. (The iMacs use chips from Broadcom, which hasn't open-sourced its driver code; the other machines use Atheros chips, which should do provide some details on accessing their lower-level functions.)

I expect this to change soon. The latest revision to Wi-Fi, the 802.11n standard working its way through a standards process, has already started appearing in early draft versions this month. 802.11n can boost the raw speed of Wi-Fi from the 54 Mbps of 802.11g (AirPort Extreme) and 802.11a to 600 Mbps in the most expensive version that has all optional elements included.

In the "slowest" version of 802.11n, expect a raw data rate of 150 Mbps and a net throughput of about 100 Mbps or better, nearly four times faster than plain 802.11g. Now Apple's AirPort Extreme and other manufacturers' enhanced versions of 802.11g can deliver rates of 30 to 50 Mbps depending on equipment and interoperability. The pioneer in multiple-in/multiple-out (MIMO) antenna systems, Airgo, has delivered chips that appear in Buffalo and NetGear equipment that already provide 100 Mbps or better real throughput, but only at a high cost and among like devices.

Because Apple was an early adopter of 802.11g, and because it's eschewed the proprietary and odd extensions to 802.11g that have appeared in intervening years--they adopted the more generally compatible improvements--they're ideally poised to make the leap from AirPort Extreme to AirPort FreakingFast or whatever super-duper name they'll assign to it.

My expectation is that Apple will announce the new technology at or before WWDC this August because the final draft of the standard should be finished or close to it before then, and at least four chipmakers will have been producing draft chipsets for months and worked out the bugs. Interoperability should actually be fairly decent, or achievable via firmware upgrades.

I predict that Apple won't offer any 802.11n products that work in existing AirPort Extreme slots. Rather, they'll only use a PCI ExpressCard style interface. (The onboard Wi-Fi in the first Intel Macs use this architecture.) So don't get your hopes up about Apple helping you to speed up a G4 or G5 Mac of any kind.

The new Mac mini base model includes more memory, too, and gigabit Ethernet, but its more powerful video card uses main system memory instead of dedicated video memory, obviating that price difference.

The AirPort Card was a modified version of a PC Card produced originally by Lucent. When Wi-FI was first introduced, there was Intersil and Lucent, and a few other players with very little marketshare. Intersil produced the Prism series of chips used by Linksys and many other companies; Lucent (which acquired its product line by buying WaveLAN) sold its cards under the name Orinoco and sold chips to Apple. Apple included a special slot for this card in iMacs starting in 1999. The original Wi-Fi flavor was 802.11b, which operated at a raw rate of 11 Mbps.

Intersil wound up becoming an also-ran in the Wi-Fi market as upstart Broadcom captured the early 802.11g market despite Intersil pushing the OFDM (Orthogonal Frequency Division Multiplexing) encoding method that became the way that 802.11g reached 54 Mbps of raw speed. Intersil later sold its wireless products to GlobespanVirata which merged with Conexant. Conexant now focuses its wireless efforts on integrated home gateways.

Broadcom grabbed a huge hunk of the 802.11g market, snagging Belkin, Buffalo, Linksys, and Apple. Lucent had, in the meantime, spun its chipmaking division off as Agere, which didn't provide 802.11g chips til a little too late for Apple and the rest of the marketplace. Atheros, meanwhile, which had started as an 802.11a company for the enterprise, shifted gears and signed up NetGear, D-Link, and, later, a lot of startup wireless LAN switch companies. Intel (via Centrino), Marvell, Atheros, and Broadcom are recognized as the leading Wi-Fi chipmakers today.

Apple sold Broadcom's package as a modified mini-PCI card that fits into a new special slot inside all current Macs. It continued to sell the AirPort Card, lowering the price in 2004 to $80 down from the $100 it had charged from its 1999 introduction.

Agere wound up selling its Wi-Fi product line to Proxim which first stopped selling to consumers, and then went into bankruptcy and had its assets acquired by Terabeam, which also acquired the Ricochet brand and system. (Ricochet was an early metropolitan-scale wireless system funded by Paul Allen that could offer speeds up to about 128 Kbps by its end, but like many Allen projects, it was a few years ahead of its time and ahead of the technology.)

It's pretty clear, though I've never heard it said, that at some point in this magical mystery merger tour that whatever company was still produced either the silicon or the complete package for Apple's AirPort Card stopped doing so: either the company's contract with Apple ran out or the company was incapable of continuing to run the product line. Either way, the AirPort Card disappeared and with it the hopes of a short generation of Mac users of having a simple way to connect wirelessly.

Used and never-opened AirPort Cards continue to sell on eBay, now typically for $120 to $140. The problem with used AirPort Cards is that both they and the original AirPort Base Station were notorious for going on the fritz after a year or two. I had two AirPort Base Stations die; this is a fixable problem, however, and the folks at BSR Tech offer repairs for graphite and snow ABS's and newer AirPort Extreme Base Stations, too.

What prompted this reverie is that I noticed on Dealmac today, my favorite bargain-promoting site, an offer for a $100 refurbished AirPort Card from TechRestore.com. Use Dealmac's coupon to get the discount. It's odd to see this card listed as "refurbished" because it's a solid hunk of circuit board. It either works or not. It's possible they did some burn-in tests to confirm that the card works, but that's unclear.

Older Mac owners do have other options that cost under $120 to $140, and even under $100. I wrote a few weeks ago about several options. My favorite, because it's the most flexible and interesting, is the $75 Zyxel AG-225H, a USB 2.0 device that will work with USB 1.1. USB 1.1 is limited to about 12 Mbps, so even though the Zyxel works at 802.11g speeds, pre-USB 2.0 Macs will be limited to about twice what an AirPort Card's throughput would be. (11 Mbps for 802.11b translated to about 5 Mbps of real data flow. The Zyxel should run at full bus speed, however, on USB 1.1.)

This has changed lately, as Broadcom's competitors have made inroads into the Wi-Fi market, and the same product that worked six months ago--for instance, a Belkin 802.11g PCI Card--have been re-engineered to save costs in a new version and no longer use Broadcom chips. Manufacturers rarely directly disclose which chips are in which products to avoid making promises about the underlying technology; they're promising functionality (i.e., a Wi-Fi connection).

That's what makes the Ralink's unsupported Mac OS X and Linux drivers so interesting. If you wind up with a Ralink-based device, you can still use it with your Mac. Ralink has been listening to its indirect Mac customers, because they recently updated their drivers for Mac OS X 10.4 (Tiger). And they seem to release regular bug fix updates as well.

Their driver page contains downloads and which products are supported using their internal chipset and product names. I hope some enterprising sole will figure out which products and versions from major makers use Ralink chips, expanding Mac users' options.

Belkin's 802.11g PCI Card (part number F5D7000) claims to have Mac OS X 10.2 and 10.3 compatibility on its detail page, but doesn't offer drivers for download, and it appears its compatibility was limited to versions 1 and 2 of this card; version 3 (not noted anywhere when you purchase the card) has Ralink chips and requires Ralink drivers.

I noted above that there are now USB 2.0 adapters for Macs--I found this out almost by accident. The Zyxel AG-225H, a Wi-Fi hotspot detector with a built-in LCD screen, doubles as an 802.11a/b/g adapter using USB 2.0. Zyxel has Mac drivers for both Panther and Tiger; I haven't tested them, but have been told by other Mac users that they work. I reviewed the Zyxel unit, looking at its Wi-Fi finding functions mostly, for Mobile Pipeline back in September. It's about $75 from several online retailers.

Thanks to Dave Goldman for this tip!

The reason they resisted is apparently because they fixed the problem in the very latest AirPort Update for Tiger, released Nov. 2. A similar update was added for Panther (10.3.3 and later) on Nov. 8.

I've already emailed one of the folks who had Panther-to-Tiger upgrade problems with AirPort and this patch fixed it; I'm waiting to hear from the rest.

If you've had a problem as described in the two TidBITS article and this update fixes it (or doesn't), please email me.

The AirPort book is a hands-on guide to using Wi-Fi under Mac OS X, with details covering Jaguar, Panther, and Tiger, and tips for Mac OS 9 and Windows XP. The book focuses on Apple's AirPort network hardware and software, but broadly includes details of other gear, including the most popular router from Linksys.

Each book is $10, but collectively, $17.50. Click links at upper right to visit our store.

Here's our publicity blurb on Take Control of Your Wi-Fi Network.

Learn how to keep intruders out of your wireless network and protect your sensitive communications!

It's ten o'clock - do you know who's using your wireless network? If you haven't changed the default network name or admin password someone could be eavesdropping on your email, plucking your passwords out of the air, or sending spam through your Internet connection right now! When you're using a wireless network - whether a Macintosh with AirPort gear or Windows with any Wi-Fi equipment - you're exposed to risk unless you take steps.

Wireless networking experts Glenn Fleishman and Adam Engst have spent years researching and covering wireless security issues on Glenn's Wi-Fi Networking News weblog and in two editions of The Wireless Networking Starter Kit. Now they've distilled that experience into this essential guide for anyone using wireless networks, whether at home, at work, or on the road. You'll learn how to evaluate your real security risks; the best way to restrict access to your network using WPA; how to secure your data in transit with PGP, SSL, SSH, and VPNs; and how to protect your computers from viruses and attacks. The ebook provides extra advice on how to secure your small office wireless network, including details on choosing VPN hardware and software and on setting up 802.1X for secure Wi-Fi logins. The final section of the ebook helps you determine how successful your security efforts have been by showing you how to perform a detailed security audit on your wireless network using the same freely available tools that crackers might use against you.

Read this ebook to learn the answers to questions like:

• Should I worry about someone eavesdropping on my home wireless network?
• How can I find out if someone is snooping on my wireless network right now?
• Do I need a VPN to protect my sensitive work communications?
• Can I control access to my wireless network by user name and password?
• What software can I use for secure email and file transfer?
• How does public-key encryption work?
• Our office has only 15 people in it - can we afford the best Wi-Fi security?
• Is it really possible to break a WEP key in less than a minute?
• How can I better manage all my passwords to keep them secure?