Critical Wireless Flaw Leaves Windows Users Open To Attack

A critical vulnerability in a wireless driver used in PCs sold by Dell, Gateway, Hewlett-Packard, and others will be tough to patch, a security researcher said Monday, even though exploit code has already been published and attacks are possible.

The vulnerability in the Broadcom wireless driver went public Saturday as part of the "Month of Kernel Bugs" project; the same day, an exploit was added to the Metasploit Framework, a penetration testing tool. Although the researcher who discovered the flaw had earlier reported it to Broadcom, patches may be slow in coming since each computer and third-party wireless card maker tweaks the generic Broadcom code for its own hardware.

"Broadcom supplied a general fix to the general chip vulnerability," said Dean Turner, a senior manager with Symantec's security response team, "but it's very difficult for Broadcom to issue a single patch. Each [computer maker] must create its own patch."

The driver vulnerability and subsequent exploit lets attackers hijack a laptop actively seeking or using a wireless connection, such as when the user is in a public hot spot at an airport or caf.

An alert posted by the all-volunteer ZERT (Zero Day Emergency Response Team) -- best known as the creator of third-party patches for Windows -- spelled out the trouble. "If you are near other users with laptops, you are at risk. If you are using your computer with the wireless card enabled in any public place, you are at risk. Windows is exploitable without the existence of an Access Point or any interaction from the user."Because each driver for the Broadcom hardware is somewhat different, each vendor must release its own patch or update, said ZERT. As of Monday, only Linksys had posted a fix for its Broadcom-based driver.

Security vendors immediately raised the alarm. In a warning to customers of its DeepSight threat management system, Symantec pegged the vulnerability's overall urgency rating at "10," its highest-possible level. "This vulnerability occurs at an extremely low level within the networking protocol and is not believed to be prevented through the use of firewall, IDS [Intrusion Detection System], or IPS [Intrusion Prevention System] applications. As such, the threat of this issue is extremely elevated," the alert read. "Administrators and users [should] disable all affected wireless devices until patches have been made available."

Turner advised Windows laptop users to first check if the maker of their PC and/or wireless card has come up with a fix. "Go to your hardware provider and install the latest drivers," said Turner. "It may be that the latest drivers may patch the issue."

ZERT's alert seconded Turner's take. "Many vendors have released drivers that are more recent then the driver that was tested," ZERT said. "While we can't tell if these drivers patch the problem, we still assume that it's a good idea to install them." The published exploit worked on the version 3.50.21.10 Broadcom driver, but may also work on other editions.

Until fixes are available, users should take the serious step of disabling the wireless card. "In the short term, when you're in public places or when you don't need wireless, you should disable the card," Turner said. With the card disabled, users will not be able to connect to any wireless network.For its part, ZERT has decided not to pursue a patch, and called the idea "impractical."

"Although most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it. Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical."

Some PC makers, Dell for one, offer buyers automated update services, noted Turner, so users should check with their computer or wireless card maker to see if an auto-update mechanism is available.

ZERT also wondered if Microsoft's Windows Update might be called on to provide patches, but acknowledged the difficulties the Redmond, Wash. developer would face. "Patching third-party software is never an easy task, even if in collaboration with the third party [but] Microsoft potentially helping to patch this third-party issue could be of a significant help to get ahead of this threat."

Microsoft has pushed patches for third-party software through its automated update program previously. The company did not immediately respond Monday to questions about whether it was considering issuing patches for the wireless driver vulnerability.0