Apple fixes serious flaw in AirPort wireless routers

The flaw could allow hackers to execute malicious code on affected devices

Apple has released firmware updates for its AirPort wireless base stations in order to fix a vulnerability that could put the devices at risk of hacking.

According to Apple security, the flaw is a memory corruption issue stemming from DNS (Domain Name System) data parsing that could lead to arbitrary code execution.

The company released firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n Wi-Fi, as well as AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Wi-Fi.

The AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS can be used to install the new firmware versions on AirPort devices, the company said in an advisory.

As is typical for Apple security announcements, the company did not release details about possible exploitation scenarios and did not assign a severity rating for the flaw. However "arbitrary code execution," especially through a remote vector like DNS, is as bad as it can possibly get for a vulnerability.

What is not clear is whether the data parsing issue is in the DNS server or DNS client functionality.

A router like AirPort can serve as a local DNS resolver for devices on a network. This means that it receives DNS queries from computers and passes those queries upstream through the global Internet DNS chain.

On the other hand, routers also act like DNS clients, asking other DNS servers on the Internet to resolve host names.

If the error is in the parsing of queries received from LAN computers, it would limit the attack to the local network. Whereas, if the flaw is in the parsing of DNS responses, it could be exploited remotely.

When a DNS client asks a server to resolve a domain name, the query is eventually passed to one of the Internet's 13 so-called root DNS servers -- in reality clusters of servers. Those servers indicate the authoritative DNS server for the queried domain name and it's that authoritative server that replies with the requested information.

Attackers could register rogue domain names and configure the authoritative DNS server for them to respond with specifically crafted data that would exploit the flaw. They would then have to trick a computer from behind an AirPort router to send a DNS query for one of their domain names, for example by tricking a user to click on a link.

Another unknown is the privilege with which attackers would execute malicious code if this flaw is successfully exploited. If the code is executed under the root account, it could lead to a full device compromise.

By controlling an AirPort device, attackers could launch various attacks against local network computers. They could hijack search queries, insert rogue ads into Web pages and even direct users to malicious websites when they try to access legitimate ones.

Giving the potentially serious impact of this vulnerability and the fact that DNS is a critical service that can't be easily disabled, users are advised to install the updated firmware as soon as possible.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?