AOH :: ISN-3266.HTM

Critical Wireless Flaw Leaves Windows Users Open To Attack

Critical Wireless Flaw Leaves Windows Users Open To Attack
Critical Wireless Flaw Leaves Windows Users Open To Attack 

By Gregg Keizer
Nov 13, 2006

A critical vulnerability in a wireless driver used in PCs sold by Dell, 
Gateway, Hewlett-Packard, and others will be tough to patch, a security 
researcher said Monday, even though exploit code has already been 
published and attacks are possible.

The vulnerability in the Broadcom wireless driver went public Saturday 
as part of the "Month of Kernel Bugs" project; the same day, an exploit 
was added to the Metasploit Framework, a penetration testing tool. 
Although the researcher who discovered the flaw had earlier reported it 
to Broadcom, patches may be slow in coming since each computer and 
third-party wireless card maker tweaks the generic Broadcom code for its 
own hardware.

"Broadcom supplied a general fix to the general chip vulnerability," 
said Dean Turner, a senior manager with Symantec's security response 
team, "but it's very difficult for Broadcom to issue a single patch. 
Each [computer maker] must create its own patch."

The driver vulnerability and subsequent exploit lets attackers hijack a 
laptop actively seeking or using a wireless connection, such as when the 
user is in a public hot spot at an airport or caf.

An alert posted by the all-volunteer ZERT (Zero Day Emergency Response 
Team) -- best known as the creator of third-party patches for Windows -- 
spelled out the trouble. "If you are near other users with laptops, you 
are at risk. If you are using your computer with the wireless card 
enabled in any public place, you are at risk. Windows is exploitable 
without the existence of an Access Point or any interaction from the 

Because each driver for the Broadcom hardware is somewhat different, 
each vendor must release its own patch or update, said ZERT. As of 
Monday, only Linksys had posted a fix for its Broadcom-based driver.

Security vendors immediately raised the alarm. In a warning to customers 
of its DeepSight threat management system, Symantec pegged the 
vulnerability's overall urgency rating at "10," its highest-possible 
level. "This vulnerability occurs at an extremely low level within the 
networking protocol and is not believed to be prevented through the use 
of firewall, IDS [Intrusion Detection System], or IPS [Intrusion 
Prevention System] applications. As such, the threat of this issue is 
extremely elevated," the alert read. "Administrators and users [should] 
disable all affected wireless devices until patches have been made 

Turner advised Windows laptop users to first check if the maker of their 
PC and/or wireless card has come up with a fix. "Go to your hardware 
provider and install the latest drivers," said Turner. "It may be that 
the latest drivers may patch the issue."

ZERT's alert seconded Turner's take. "Many vendors have released drivers 
that are more recent then the driver that was tested," ZERT said. "While 
we can't tell if these drivers patch the problem, we still assume that 
it's a good idea to install them." The published exploit worked on the 
version Broadcom driver, but may also work on other editions.

Until fixes are available, users should take the serious step of 
disabling the wireless card. "In the short term, when you're in public 
places or when you don't need wireless, you should disable the card," 
Turner said. With the card disabled, users will not be able to connect 
to any wireless network.

For its part, ZERT has decided not to pursue a patch, and called the 
idea "impractical."

"Although most of these vendors and manufacturers use the same basic 
driver, it differs enough that in most cases a single patch just won't 
cut it. Further, building a patch for all the different drivers from 
each vendor and all their versions, as well as test against them, is 

Some PC makers, Dell for one, offer buyers automated update services, 
noted Turner, so users should check with their computer or wireless card 
maker to see if an auto-update mechanism is available.

ZERT also wondered if Microsoft's Windows Update might be called on to 
provide patches, but acknowledged the difficulties the Redmond, Wash. 
developer would face. "Patching third-party software is never an easy 
task, even if in collaboration with the third party [but] Microsoft 
potentially helping to patch this third-party issue could be of a 
significant help to get ahead of this threat."

Microsoft has pushed patches for third-party software through its 
automated update program previously. The company did not immediately 
respond Monday to questions about whether it was considering issuing 
patches for the wireless driver vulnerability.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods