Windows computers are open to direct attack from a hole in the widely-used Broadcom Wi-Fi driver, security researchers have warned.
The flaw was publicised as part of the Month of Kernel Bugs (MoKB) project organised by researcher HD Moore. According to the MoKB advisory, the Broadcom BCMWL5.SYS driver is vulnerable to a stack-based buffer overflow that could allow kernel-mode execution of malicious code.
The volunteer Zeroday Emergency Response Team (ZERT) group released an advisory explaining that the bug is serious because, while it isn't exploitable over the Internet, users could be affected in many everyday situations.
"If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop, or using your computer with the wireless card enabled in any public place, you are at risk... The distance is dependent on the attacker's antenna and signal strength," ZERT said. "Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card's background scan of available wireless networks triggers the flaw."
Furthermore, an attack tool already exists, as part of version 3.0 of Moore's Metasploit Framework, ZERT said.
The bug was discovered by Jon Ellch, who demonstrated it in October at Microsoft's Blue Hat conference in October. Ellch had reported the bug to Broadcom, which has released a patch to the device makers using the affected chipset.
However, the mechanics of Wi-Fi device distribution mean that patches are not necessarily available to end users. The drivers distributed by device makers all differ slightly from the basic driver provided by Broadcom, meaning that no one group could provide a patch for all the different hardware containing the chipset, according to ZERT.
"Building a patch for all the different drivers from each vendor and all their versions, as well as testing against them, would be impractical," the group said. Instead it has advised users to update the latest available drivers for their hardware, but said it was aware of only one driver update - from Linksys - which specifically patches the problem.
The chipset is built into new machines from HP, Dell, Gateway, eMachines and others, according to MoKB. Some of these, such as Dell, have automatic systems for distributing updated drivers. "Others don't and many of their clients are likely to remain vulnerable for some time to come," warned ZERT.