Apple Fixes Serious Flaw In AirPort Wireless Routers

The Flaw Could Allow Hackers To Execute Malicious Code On Affected Devices

Apple has released firmware updates for its AirPort wireless base stations to address a security vulnerability that could expose devices to piracy.

Apple's security is a memory corruption issue that results from the analysis of Domain Name System (DNS) data that could lead to the execution of arbitrary code.

The company releases firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort Extreme and AirPort Time Capsule Base Stations with Wi-Fi 802.11n, and AirPort Extreme and AirPort Time Capsule Base Stations with Wi-Fi 802.11ac.

The AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS can be used to install new firmware versions on AirPort devices, the company said.

As is common with Apple's security announcements, the company has not published details on possible exploitation scenarios and has not assigned a severity rating to the error. However, the "execution of arbitrary code", especially by a remote vector such as DNS, is as bad as it could possibly be for a vulnerability.

What is not clear is whether the problem of data analysis lies in the DNS server or in the DNS client functionality.

A router like AirPort can act as a local DNS resolution for devices on a network. This means that it receives DNS queries from computers and forwards those queries over the global Internet DNS chain.

On the other hand, routers also act as DNS clients and require other DNS servers on the Internet to resolve hostnames.

If the error occurs in the analysis of the queries received from the LAN computers, this would limit the attack on the local network. However, if the error lies in the analysis of DNS responses, it could be exploited remotely.

When a DNS client asks a server to resolve a domain name, the query is finally passed to one of the 13 root DNS servers on the Internet, in fact server clusters. These servers specify the authorized DNS server for the consulted domain name, and that authorized server responds with the requested information.

Attackers can register dishonest domain names and configure the authorized DNS server to respond with specially designed data that exploits the error. Then they would have to outsmart a computer behind an AirPort router to send a DNS query for one of their domain names, for example, by getting a user to click on a link.

Another unknown fact is the privilege with which an attacker can execute malicious code if this error is successfully misused. Running the code under the root account may endanger the device.

By operating an AirPort device, attackers can perform multiple attacks on computers on the local network. They can hijack search queries, add fraudulent ads to websites and even refer users to malicious websites when they try to access legitimate sites.

Given the potentially serious consequences of this vulnerability and the fact that DNS is a critical service that can not be easily disabled, it is recommended that users install the updated firmware as soon as possible.