The Mac Security Blog
Apple has released an update to Time Capsule and AirPort Base Station (802.11n) Firmware, fixing one security issue:
Impact: An attacker in a privileged network position may be able to cause arbitrary command execution via malicious DHCP responses
Description: dhclient allowed remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. This issue is addressed by stripping shell meta-characters in dhclient-script.
This is an obscure issue, but you should update the firmware anyway, as it probably also contains other bug fixes. Apple recommends that you download AirPort Utility 5.5.3 before applying the firmware update. If you don’t already have that program, you can download it here.
To apply the Time Capsule and AirPort Base Station Firmware update, launch AirPort Utility, and select your AirPort device. You’ll see something like this telling you that a new version of the firmware is available:
Click on Update Firmware to download and apply the update. You’ll have to restart your AirPort Base Station or Time Capsule, losing network access for a couple of minutes.
Apple has issued updates for AirPort devices – its AirPort Base Station and Time Capsule – patching several vulnerabilities in the software used to run these devices. Five vulnerabilities are fixed, four of which could result in denial of service or could lead to device restart, and one that could allow malicious users to access an FTP server if port-mapping is used.
The 12.3 MB update to AirPort is available via Software Update, or by download here. After installing the new version of AirPort Utility, users should run that application to apply the firmware updates to their AirPort devices.
Full information about this update is available here.
Apple has published a technical note explaining that the WPA2 setting for wireless security provides the best network throughput to multiple devices, using Apple’s AirPort hardware. Using older protection – WPA – will prevent the devices from exceeding 54 Mbps (megabits per second). Apple’s article suggests that this is the case for other hardware, but says that users should check the correct configuration for non-Apple devices. However, WPA/WPA2 Personal provides higher throughput for single devices, such as a single computer and router. In most cases, your actual Internet bandwidth will not exceed 54 Mbps, so if you only have a single computer, this is not an issue.
To set WPA2 protection, open AirPort Utility, choose your base station, then click Manual Setup. Click the AirPort icon in the toolbar, then the Wireless tab, then choose WPA2 Personal from the Wireless Security menu.
Apple has issued an update to its AirPort Base Station software, and this update includes a patch for one security flaw. The AirPort Utility 5.5.1 software, available via Software Update, is a 10 MB download, and, after installation, will prompt users, when launched, to apply the new firmware update to AirPort base stations and Time Capsules. This update is available for Mac OS X 10.5.7 or later, and more information about the vulnerability that is patched can be found here.