Threat Center Security News Kudos Charlie Miller?
Kudos Charlie Miller? Print E-mail
Written by Rebecca Mints   
Wednesday, 23 April 2008 18:00

Apple has been known to take their time when getting fixes out to users in security updates long after patches for open source software have been released. And this is for open source software that is included with Mac OS X. A good example of this is the Mac OS X 10.5.2 update. And it just so happened this is also the case with Charlie Miller, the gentleman that hacked a Mac at the CanSecWest security conference and won $10,000 and a MacBook Air in the PWN2OWN contest.

The vulnerability stems from the Perl Compatible Regular Expressions (PCRE) library which is used by Safari (more specifically the WebKit framework that underpins Safari), and additionally some common types of open source software like Apache. The fix for PCRE was released last May (almost a YEAR ago) but the Apple update to Safari didn't happen until last month.

Unfortunately for Apple users, this is not an uncommon occurence. What hackers like to do is find open source vulnerabilities that have had a patch already released, but one that has not been released to users via the OS X updates. Since they know how the vulnerability is being patched, and they also aim for common open source software, it's not hard for hackers to devise a method of exploitation when the patch has not rolled out the users yet.

Apple describes the patch that Charlie Miller used as: "A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution."

On the second day of the contest at CanSecWest this year, when open source software became fair game to exploit, the MacBook Air was hacked in minutes.

Mac hack used old vulnerability


WTW Threat Level