Apple is keeping typically tight-lipped about a remote code execution vulnerability it patched in its AirPort router firmware.
Last night, Apple released an advisory warning users of the AirPort Express, AirPort Extreme and AirPort Time Capsule base stations that a new firmware was available—AirPort Base Station Firmware Update 7.6.7 and 7.7.7—and should be applied immediately.
“A memory corruption issue existed in DNS data parsing,” Apple’s advisory reads. “This issue was addressed through improved bounds checking.”
A request to Apple for further comment was not answered prior to publication.
It’s unknown whether the vulnerability has been exploited publicly, but Apple did say that an attacker could remotely run arbitrary code using this flaw.
DNS parsing issues are particularly serious because an attacker who can insert himself onto the device could be able to intercept and redirect traffic.
Users are recommended to use AirPort Utility, which is a free download from the App Store, version 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS to upgrade to the correct firmware version.
The vulnerability has been around since 2015 (CVE-2015-7029) and was disclosed by Apple’s Alexandre Helie.
Helie, 21, is from Quebec, Canada, and according to a January interview on Canadian television, he was hired by Apple after privately disclosing three vulnerabilities.
Helie was a university student in Quebec when he found the original flaws in Apple’s operating system, the interview said. Helie is quoted that he was hopeful of receiving a monetary reward from Apple for his findings, but Apple has no bounty program. Instead, two months later, he was invited to Cupertino to interview for a job on the team that tests the core operating system before it’s put into production, the interview says.
