September 25th, 2006
David Burke dissects Apple's response on SecureWorks
David Burke who is a very sharp reader decided to chime in on Apple’s seemingly firm denial that SecureWorks supplied nothing of significance to Apple for the Apple Wi-Fi security patch. This isn’t the first time Mr. Burke has weighed in here on Real World IT, he took John Gruber’s logic apart last time based on what little evidence Gruber supplied. This time, he takes Apple’s Lynn Fox to task for her reply.
David Burke writes:
George, I just thought I would send you this email as I have just read your article on Tech Republic where Lynn Fox answered a lot of the questions I have noted coming up on the issue of what SecureWorks delivered to Apple in regard to the Macbook wireless exploit.
I was actually quite happy at first to see that Apple was giving such direct “yes and no” answers for a change, but quite frankly before I was halfway through it I felt like pulling my hair out.
Lets first look at how Lynn answers the first question;
George Ou:
Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?Lynn Fox:
The only vulnerability mentioned by David Maynor was FreeBSD vulnerability CVE-2006-0226. This does not affect Apple products
Ok George, while that implies that Maynor is such a horrible security expert he doesn’t even know what vulnerabilities might work on a Mac, who knows? I do not know Maynor and certainly can’t swear he would know better, but the important thing is, Lynn is telling us here that all information Apple got from Maynor was in relation to a FreeBSD vulnerability CVE-2006-0226, which has no application to any Apple products.
Now let’s look at the very next question Lynn Fox answers;
George Ou:
Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?Lynn Fox:
No. Packet captures were promised repeatedly but never delivered.
Now we know George that she is talking about packet captures for the FreeBSD vulnerability CVE-2006-0226, which has no application to any Apple products. We know that because she says that’s all that Maynor discussed, so that’s what the packet captures would be for.
What I do not follow here George is what in the heaven did she get Maynor to repeatedly promise to send packet captures for an exploit that had no application to an Apple product? I mean…repeatedly? And promise? This makes absolutely no sense of any kind. If Maynor was contacting her on his own and repeatedly promising for some reason to send packet captures for a vulnerability that had no application to an Apple product, peculiar as that would have been, why didn’t Apple just tell Maynor to get lost and stop bugging them as the packet captures were of no use?
This isn’t some kind of legalese issue here either George, this is just common sense. It’s obvious that something is up here with this whole packet capture issue. Lynn Fox says on the one hand Maynor only talked of one vulnerability, which didn’t apply to Apple products, and on the other hand they got Maynor to repeatedly promise to send packet captures? Something is rotten in Denmark without further explanation on that.
And what’s with all these subsequent responses to questions;
George Ou:
Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?Lynn Fox:
No. While SecureWorks did provide a driver disassembly, it did not indicate a Wi-Fi vulnerability in any Apple product.
George Ou:
Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?Lynn Fox:
No. While we received crash dumps from SecureWorks, they didn’t have anything to do with Mac OS X or any other Apple product.
She starts with a no, and then says yes, both times, and of course, these same things they were given must have been to do with the FreeBSD issue, after all, she said its all Maynor discussed, yet there were repeated promises made for packet captures and this makes no sense.
What makes matters worse George, is did I not read that after they were notified by Maynor of the exploit they decided to do an internal audit on their own? I really do not understand the logic behind such a chain of events. Consider; Lynn Fox has essentially said that Maynor supplied them with information that didn’t even apply to Apple products, yet they wanted packet captures and eventually decided they had to do an internal audit on their own. Why? Maynor apparently gave them less then absolute zero according to Lynn Fox. Did Apple decide to do this internal audit based on the fact that Maynor showed them a vulnerability that applied only to non Apple computers? No way.
You do not have to be a rocket scientist to see what may be at issue here George. I’m not 100% sure what’s going on here George but if it is true that Maynor has time stamped communications showing certain particulars were communicated to Apple from Maynor, and Apple did indeed work to repeatedly secure promises from Maynor to send packet captures, the evidence so far indicates that something beyond the FreeBSD issue was either discussed, or Apple had a way of making use of the FreeBSD issue in such a way that although the specific issue may not exist on Apple products it was a link to something that was.
What’s going on? Once again this ends up answering little.
- End of email -
Yes, this all sounds very strange David and you’ve given me a new level of respect for the legal profession. I thought something was strange about those responses but just couldn’t put my finger on it. You’ve cleared that up nicely, thank you.
(Note on internal audit)
As reported by Brian Krebs, Anuj Nayar said: "Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affec tthe wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws."
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
