Apple Patches AirPort Remote Code Execution Flaw

Apple has patched a remote code execution vulnerability in its AirPort base stations, AirPort Express, AirPort Extreme and AirPort Time Capsule.

Apple is keeping typically tight-lipped about a remote code execution vulnerability it patched in its AirPort router firmware.

Last night, Apple released an advisory warning users of the AirPort Express, AirPort Extreme and AirPort Time Capsule base stations that a new firmware was available—AirPort Base Station Firmware Update 7.6.7 and 7.7.7—and should be applied immediately.

“A memory corruption issue existed in DNS data parsing,” Apple’s advisory reads. “This issue was addressed through improved bounds checking.”

A request to Apple for further comment was not answered prior to publication.

It’s unknown whether the vulnerability has been exploited publicly, but Apple did say that an attacker could remotely run arbitrary code using this flaw.

DNS parsing issues are particularly serious because an attacker who can insert himself onto the device could be able to intercept and redirect traffic.

Users are recommended to use AirPort Utility, which is a free download from the App Store, version 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS to upgrade to the correct firmware version.

The vulnerability has been around since 2015 (CVE-2015-7029) and was disclosed by Apple’s Alexandre Helie.

Helie, 21, is from Quebec, Canada, and according to a January interview on Canadian television, he was hired by Apple after privately disclosing three vulnerabilities.

Helie was a university student in Quebec when he found the original flaws in Apple’s operating system, the interview said. Helie is quoted that he was hopeful of receiving a monetary reward from Apple for his findings, but Apple has no bounty program. Instead, two months later, he was invited to Cupertino to interview for a job on the team that tests the core operating system before it’s put into production, the interview says.

Suggested articles


  • Craig on

    I don't understand, you're saying last night on an article dated 21 June 2016 but update was posted 24 May 2016 (see: and there's no link to a reference source. Is there a new update or announcement?
    • Chris Brook on

      Hi Craig, This is the advisory: Chris

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.