Gergo posting from Black Hat USA 2006 Wireless Drivers - Speakers: Johnny Cache & David Maynor
The talk was mostly about different protocol vulnerabilities in wireless LANs. They spent most of the time talking about different angles of why 802.11 sucks. ;)
The interesting bit was the few minutes long video at the end of the briefing. Apparently they have found a remote overflow in a certain wireless card driver. For the demo, an Intel-based Mac was used, with a third-party wireless card. It was not really clear whether the driver was included in OS X or came with the third-party network card. Nevertheless the net result is a connect-back remote shell on the Mac. Pretty impressive, and scary at the same time...
Details have not been released on the vulnerability yet; they are still working with the vendor (Apple?) on the fix. There has not been any hint on a connection between this and the Intel Centrino fix.
The long-standing suspicion has been confirmed but there is no evidence of this affecting a widespread device/driver yet. That is, until they release more information on the vulnerability itself.
The video can be found at Brian Krebs' Security Fix column.