Microsoft and Apple 'must improve security patches'

Apple and Microsoft are being urged to issue security updates for all device drivers in computers running their operating systems.

Device drivers are the software programs that control various hardware components within a computer. For example, a DVD-ROM drive has a device driver, as does a monitor. Without drivers the computer cannot communicate with the device.

Sans, the security organisation, is calling on operating system makers such as Apple and Microsoft to provide device driver security patches, which they do not do at present.

Alan Paller, director of research for Sans, told silicon.com: "When you see that Microsoft has updated your system, people assume the devices have been updated as well. That's not the case. It should not be [down to the user]. Microsoft should handle it. They may charge a little for doing it but I think they should handle it."

The remarks come after Washington Post journalist Brian Krebs wrote in his blog about an experience at the Black Hat security convention in Las Vegas, where he witnessed the exploit of a wireless driver in one of Apple's MacBooks.

He wrote: "Maynor [the exploiter] acknowledged he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in MacBook drivers. But he also admitted that the same flaws were resident in the default MacBook wireless device drivers, and that those drivers were identically exploitable."

Sans' Paller explained it's not just Apple's problem, though.

He said: "It's a Mac issue and a non-Mac issue - it's more an industry-wide problem. People are just building devices so they can sell them quickly. We think if we encrypt data on hard drives then sensitive data is OK. But that doesn't count. If someone takes control when you're on your PC that means they are already inside and the encryption is bypassed."

Yesterday Apple patched 26 flaws in its Mac OS X operating system.

Intel also recently issued fixes for flaws in its Centrino device drivers and ProSet management software that affect the security of the wireless products.

If exploited, the flaws could allow an attacker to break into a PC via wi-fi, according to security experts at F-Secure.

Graham Cluley, an antivirus and exploit expert, said: "I'm sure that Apple will be keen to roll out any required security patches as soon as possible to reassure Apple users that they are defended. Of course, it should be remembered that there are no reports of any 'in the wild' attempts to exploit the flaws in either Centrino or Apple wi-fi - so at the moment these exploits can be considered 'proof-of-concept'."

Apple has not responded to silicon.com's request for comment on the matter.