By Gregg Keizer
Nov 13, 2006
A critical vulnerability in a wireless driver used in PCs sold by Dell,
Gateway, Hewlett-Packard, and others will be tough to patch, a security
researcher said Monday, even though exploit code has already been
published and attacks are possible.
The vulnerability in the Broadcom wireless driver went public Saturday
as part of the "Month of Kernel Bugs" project; the same day, an exploit
was added to the Metasploit Framework, a penetration testing tool.
Although the researcher who discovered the flaw had earlier reported it
to Broadcom, patches may be slow in coming since each computer and
third-party wireless card maker tweaks the generic Broadcom code for its
"Broadcom supplied a general fix to the general chip vulnerability,"
said Dean Turner, a senior manager with Symantec's security response
team, "but it's very difficult for Broadcom to issue a single patch.
Each [computer maker] must create its own patch."
The driver vulnerability and subsequent exploit lets attackers hijack a
laptop actively seeking or using a wireless connection, such as when the
user is in a public hot spot at an airport or caf.
An alert posted by the all-volunteer ZERT (Zero Day Emergency Response
Team) -- best known as the creator of third-party patches for Windows --
spelled out the trouble. "If you are near other users with laptops, you
are at risk. If you are using your computer with the wireless card
enabled in any public place, you are at risk. Windows is exploitable
without the existence of an Access Point or any interaction from the
Because each driver for the Broadcom hardware is somewhat different,
each vendor must release its own patch or update, said ZERT. As of
Monday, only Linksys had posted a fix for its Broadcom-based driver.
Security vendors immediately raised the alarm. In a warning to customers
of its DeepSight threat management system, Symantec pegged the
vulnerability's overall urgency rating at "10," its highest-possible
level. "This vulnerability occurs at an extremely low level within the
networking protocol and is not believed to be prevented through the use
of firewall, IDS [Intrusion Detection System], or IPS [Intrusion
Prevention System] applications. As such, the threat of this issue is
extremely elevated," the alert read. "Administrators and users [should]
disable all affected wireless devices until patches have been made
Turner advised Windows laptop users to first check if the maker of their
PC and/or wireless card has come up with a fix. "Go to your hardware
provider and install the latest drivers," said Turner. "It may be that
the latest drivers may patch the issue."
ZERT's alert seconded Turner's take. "Many vendors have released drivers
that are more recent then the driver that was tested," ZERT said. "While
we can't tell if these drivers patch the problem, we still assume that
it's a good idea to install them." The published exploit worked on the
version 184.108.40.206 Broadcom driver, but may also work on other editions.
Until fixes are available, users should take the serious step of
disabling the wireless card. "In the short term, when you're in public
places or when you don't need wireless, you should disable the card,"
Turner said. With the card disabled, users will not be able to connect
to any wireless network.
For its part, ZERT has decided not to pursue a patch, and called the
"Although most of these vendors and manufacturers use the same basic
driver, it differs enough that in most cases a single patch just won't
cut it. Further, building a patch for all the different drivers from
each vendor and all their versions, as well as test against them, is
Some PC makers, Dell for one, offer buyers automated update services,
noted Turner, so users should check with their computer or wireless card
maker to see if an auto-update mechanism is available.
ZERT also wondered if Microsoft's Windows Update might be called on to
provide patches, but acknowledged the difficulties the Redmond, Wash.
developer would face. "Patching third-party software is never an easy
task, even if in collaboration with the third party [but] Microsoft
potentially helping to patch this third-party issue could be of a
significant help to get ahead of this threat."
Microsoft has pushed patches for third-party software through its
automated update program previously. The company did not immediately
respond Monday to questions about whether it was considering issuing
patches for the wireless driver vulnerability.
Subscribe to InfoSec News