Security flaw found in popular Broadcom driver

If it's not one thing, it's another. H. D. Moore, organizer of the Month of Kernel Bugs (MoKB) project, has just publicized a flaw discovered by Jon Ellch in the popular Broadcom BCMWL5.SYS driver. The driver appears to be vulnerable to a stack-based buffer overflow which may allow kernel-mode execution of malicious code. Kudos to the Zeroday Emergency Response Team (ZERT) which was quick to offer an advisory in which it said that while the bug was not exploitable over the Internet, it was still serious because users could be affected in many everyday situations. "If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop or using your computer with the wireless card enabled in any public place, you are at risk...The distance is dependent on the attacker's antenna and signal strength," the ZERT advisory said. "Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card's background scan of available wireless networks triggers the flaw."

Matthew Boersma reports that Ellch demonstrated the flaw last month at Microsoft's Blue Hat conference. Ellch also informed Broadcom of the problem, and the company has released a patch to the device makers using the vulnerable chipset. Trouble is, the drivers that different device makers distribute to their customers vary from Broadcom's basic driver, meaning that there is no single patch that addresses the vulnerability in all of them. ZERT recommends that users update to the latest available drivers for their hardware (the group also said, though, that as far as it was aware, only Linksys offered patches specifically designed to address the problem).

For more on the Broadcom chip's vulnerability:
- see Matthew Boersma's CIO report
- Ed Sutherland's Internetnews discussion
- and the Broadcom Wireless adapter advisory at ZERT website
- also see the MoKB website

ALSO: See this intriguing story about how a hidden flaw in the WiFi standard led to persistent packet loss.