
Apple: Heap Overflow in AppleBCMWLANCore Driver - 0x0
https://bugs.chromium.org/p/project-zero/issues/detail?id=1302
======
0x0
Interestingly this was not part of the original iOS11 security announcement:
[http://web.archive.org/web/20170919182359/https://support.ap...](http://web.archive.org/web/20170919182359/https://support.apple.com/en-
us/HT208112) and (a mail to apple-security which is no longer archived at
[https://lists.apple.com/archives/security-
announce/2017/Sep/...](https://lists.apple.com/archives/security-
announce/2017/Sep/threads.html#00000) )

But instead published after the fact as an additional update:
[https://lists.apple.com/archives/security-
announce/2017/Sep/...](https://lists.apple.com/archives/security-
announce/2017/Sep/msg00002.html) and [https://support.apple.com/en-
us/HT208112](https://support.apple.com/en-us/HT208112)

Why delay the announcement? And why remove the original "APPLE-SA-2017-09-19-1
iOS 11" with "Date: Tue, 19 Sep 2017 -0700" from the apple-security email
archive?

Also, are Macbooks vulnerable to the same bug until next monday when macOS
10.13 drops?

Also, there are about 6 other similar issues recently posted to Google Project
Zero: [https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q...](https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q=owner:laginimaineb@google.com&sort=-id)

------
walterbell
Is this going to be fixed in iOS 10? Some users have apps which will not work
with iOS 11, so cannot immediately upgrade.

~~~
0x0
Highly unlikely, I don't think Apple has ever released multiple branches of
updates for any device. The closest is perhaps iOS 6.1.6, a fix for the fatal
"gotofail" SSL vulnerability, which was pushed out to devices stuck on iOS
6.x, but if your device was eligible for iOS7 then iOS7(.0.6) was what you
would get.

That's also the only time I can remember security updates being pushed after a
device model being end-of-life'd.

~~~
walterbell
Have they previously had an app transition like 32-bit / 64-bit, where some
users cannot upgrade?

~~~
0x0
Nope, so this is going to be interesting to watch. Personally I was hoping
that they would offer an optional download of 32bit support libraries to let
iOS11 users run important existing legacy apps and access their documents, but
they seem to push hard on making developers get in line and update their apps.
Which is unhelpful for the cases where the developers no longer have any
interest in their apps or even exist (bankrupt, disbanded, in some cases
deceased)

~~~
coldtea
> _Which is unhelpful for the cases where the developers no longer have any
> interest in their apps or even exist (bankrupt, disbanded, in some cases
> deceased)_

If they are "bankrupt, disbanded, in some cases deceased" then maybe insisting
on using those apps are not the best course for the user either...

~~~
pjc50
As I commented last time on the subject:
[https://news.ycombinator.com/item?id=15285252](https://news.ycombinator.com/item?id=15285252)

Sometimes the apps are the only way to access something else, in this case a
car remote unlock.

Sometimes someone has paid actual money for an app, more than the $1 baseline;
some music apps are in triple figures.

~~~
bostand
This is a valid concern, I don't understand why you are getting downvoted.

------
mangix
Wonder what this means in the grand scheme of things. Will Apple dump Broadcom
and go with Qualcomm or attempt to fix Broadcom's broken driver.

I say broken as I've yet to see good code come from Broadcom.

~~~
senatorobama
This isn't even in Broadcom code.

~~~
0x0
Maybe not this time, but they have a history of fatal firmware bugs that could
compromise the host system - such as
[http://boosterok.com/blog/broadpwn2/](http://boosterok.com/blog/broadpwn2/)

~~~
microcolonel
For what it's worth, Broadcom's market share in attractive heavy-firmware wifi
adapters is pretty high. They could just be an exploit magnet.

~~~
ge0rg
Does that mean that all embedded WiFi (and probably also baseband) controllers
are deeply rotten, and we only blame Broadcom so far because of their
popularity with device manufacturers?

~~~
bsder
Pretty much.

In general, you can assume that if you can't audit it, it's absolute crap.
This is true for hardware and software.

------
sigjuice
Is every buffer overflow important enough to need detailed discussion and
commentary?

~~~
0x0
I think these latest sets of wifi flaws are interesting if it turns out they
are exploitable by merely being in radio range of an attacker even without
joining a malicious network or requiring user interaction. That could quickly
become a fast and wormable attack. You could probably flood across an entire
city jumping from chip to chip in no time.

Especially now that iOS 11's wifi-off button in the control center no longer
actually disables the radio, but merely disassociates from the current access
point.

~~~
ronnier
> Especially now that iOS 11's wifi-off button in the control center no longer
> actually disables the radio

I still can’t belive this decision. I keep my Bluetooth and Wi-Fi off as much
as possible and it’s now difficult to to as a result of this change is ios11.
Really bothers me.

~~~
MBCook
I really don’t understand why people keep those two off. If you’re not using
them they use very little battery at this point; it’s not like it was 10 years
ago.

Since Apple keeps detailed usage statistics (from the people who opt in) my
guess is they know how common such a behavior is and it’s obviously low enough
they don’t think this change is a problem.

I agree with some of the other comments I’ve seen that this probably
accomplishes what the user is trying to do (ignoring a Wi-Fi network that’s
temporarily behaving poorly) and possibly protecting them (forgetting to turn
it back on it running up a huge cell bill). I know I’ve heard complaints from
people who accidentally did that a number of times.

~~~
kalleboo
I keep it off because as I ride a train it's connecting to every station wifi
and losing it just as quick, completely breaking connectivity.

~~~
IBM
Turn off "ask to join" and it will only connect to known networks.

~~~
kalleboo
The station wifi is known though, so when I have a long wait for a train at a
station I'm not burning data on YouTube

~~~
swinglock
You can set the known network not to connect automatically. But you can only
access that setting when you are in range.

~~~
kalleboo
I didn't know about that setting, thanks for the tip. Will definitely come in
handy.

