NEWS
Apple and Microsoft are being urged to issue security updates for all device drivers in computers running their operating systems.
Device drivers are the software programs that control various hardware components within a computer. For example, a DVD-ROM drive has a device driver, as does a monitor. Without drivers the computer cannot communicate with the device.
Sans, the security organisation, is calling on operating system makers such as Apple and Microsoft to provide device driver security patches, which they do not do at present.
Alan Paller, director of research for Sans, told silicon.com: "When you see that Microsoft has updated your system, people assume the devices have been updated as well. That's not the case. It should not be [down to the user]. Microsoft should handle it. They may charge a little for doing it but I think they should handle it."
The remarks come after Washington Post journalist Brian Krebs wrote in his blog about an experience at the Black Hat security convention in Las Vegas, where he witnessed the exploit of a wireless driver in one of Apple's MacBooks.
He wrote: "Maynor [the exploiter] acknowledged he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in MacBook drivers. But he also admitted that the same flaws were resident in the default MacBook wireless device drivers, and that those drivers were identically exploitable."
Sans' Paller explained it's not just Apple's problem, though.
He said: "It's a Mac issue and a non-Mac issue - it's more an industry-wide problem. People are just building devices so they can sell them quickly. We think if we encrypt data on hard drives then sensitive data is OK. But that doesn't count. If someone takes control when you're on your PC that means they are already inside and the encryption is bypassed."
Yesterday Apple patched 26 flaws in its Mac OS X operating system.
Intel also recently issued fixes for flaws in its Centrino device drivers and ProSet management software that affect the security of the wireless products.
If exploited, the flaws could allow an attacker to break into a PC via wi-fi, according to security experts at F-Secure.
Graham Cluley, an antivirus and exploit expert, said: "I'm sure that Apple will be keen to roll out any required security patches as soon as possible to reassure Apple users that they are defended. Of course, it should be remembered that there are no reports of any 'in the wild' attempts to exploit the flaws in either Centrino or Apple wi-fi - so at the moment these exploits can be considered 'proof-of-concept'."
Apple has not responded to silicon.com's request for comment on the matter.
Comments
There are 3 comments. Join the discussion
1. Michael Scott
In the article it states that "Sans, the security organisation, is calling on operating system makers such as Apple and Microsoft to provide device driver security patches, which they do not do at present." which is not entirely true because Apple and from what I remember Microsoft do include some device drivers in their built-in software update schemes. I have personally seen updates for video cards and apple wireless devise drivers (called airport) on OSX. On OSX these drivers are usually bundled in the a .X system update. On windows 2000/XP there is a section for device drivers in the update control pane. Check for yourself if you don't believe me. (Like I want Microsoft to be in charge of devise driver updates for third party products anyway. They have enough problems with there own software as it is.) So what's up with the misinformation?
Also could you have picked two worst devices, DVD-Rom and Monitors, to use as examples in a security article. What happens in terms of security if I don't update my monitor driver? .... Nothing! What about my DVD-Rom driver? .... If an intruder is using my physical computer at my desk in my office; I have bigger problems than DVD drivers. This article is leave a lot to be desired.
2. Michael Fischer
Apple certainly does automatically update drivers (and firmware on occasion), and Microsoft updates drivers (though a little more work).
In the case in point that was dragged into the article, the now (in)famous wi-fi exploit, this is a lot of noise about a real problem, but is a problem with wi-fi and not individual macs, windows and linux OS installations and drivers.
Wi-fi is an inherently insecure technology whose saving grace in most cases is limited range. Anyone in the office or the next house with a bit of crytographic knowledge and minimal hardware/software smarts can read you like a book if they are willing to put in a little effort. Or download kiddie porn or plan a terrorist attack.
And there are simpler ways. Since there is little info on what the exploit at hand for the wi-fi driver(s) was, but since it is shared, I will assume it is the usual one, that has been there all along on all wi-fi systems, and has doubtless been exploited on many occasions over the years.
Although fixes to the basic wi-fi concept are welcome, at the moment it is mostly, like trojans (on Macs anyway), a matter of common sense on the part of the user, and avoid joining just any old network that happens to become available.
3. anonymous
Microsoft does release driver updates via Microsoft Update (and Windows Update). The problem is that most drivers are owned by third-parties. Microsoft provides them a mechanism to distribute their updates (Microsoft Update and Windows Update), but many choose not to. OEM's can be really bad about this since they want consumers to visit their sites as well (or run their crapware auto-updater).
In order for Microsoft to develop the patches, they'd need all the code for every driver and would have to take on the responsibility of maintaining them. They've already done this for a few devices, but most of the industry would balk at giving all their source to Microsoft (esp. third-party device driver shops). Also, most of the industry stop updating it's drivers to get the consumer to buy new devices - maintenance and updates are not part of some warranty or mandatory (which perhaps they should be).
Microsoft has been a very strong advocate within the industry for improving driver quality. The vast majority of bugs and failures that affected Windows 5 years ago were due to poorly written drivers. Things have improved dramatically since then, and Microsoft is continuing to push. Probably not fair to villify them here, since, unlike Apple, Windows is not a closed system.