Mac hack contest bug had been public for a year

April 22, 2008 —

When Charlie Miller won US$10,000 for hacking
into a Macbook Air laptop last month, he exploited a flaw that had been
publicly disclosed nearly a year before the contest.

The flaw, it turns out, lay in an open-source software library called the Perl
Compatible Regular Expressions (PCRE) library, which is used by many products
including Apache, the PHP scripting language, and Apple's Safari browser, which
Miller hacked to win the contest.

Miller won $10,000 and a new Macbook Air last month after hacking into the
laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to
install unauthorized software on fully patched Mac OS X, Windows and Linux computers
using previously undisclosed "zero-day" flaws.

In an e-mail interview, security researcher Chris Evans said he found the bug,
which he publicly
disclosed in November 2007. PCRE developers fixed the bug months earlier
while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product,
Evans said.

Although Apple's Safari browser uses the PCRE software library, the company
did not patch its version of the library until late last week. That means that
an astute hacker who had noticed the fix in PCRE 6.7 would have been given an
early tip on how to hack into Apple's computers.

Discovering a software bug is the first step toward figuring out how to use
that flaw in an attack, but not every flaw leads to a successful exploit.

In an e-mail interview, Miller confirmed that the bug he'd exploited was the
same one that was patched in PCRE 6.7, but said that researchers at his company,
Independent Security Evaluators, had found it "completely independently."

Miller found another PCRE bug that allowed him to be the first hacker to break
into the iPhone after it was launched last year.

It is very common for developers to incorporate someone else's software library
into their program and then not properly add all the latest bug fixes, said
Dragos Ruiu, one of the organizers of the PWN2OWN contest.

However, Apple should have done a better job of staying on top of the software
it was shipping. "This is a black mark on their security team, but it's
a common problem," he said. The same kind of issue has popped up frequently
with products that use the zlib and JPEG compression libraries, he added.

An Apple representative could not immediately comment for this story, saying
that he would have to first research the issue.

Ironically, Miller gave a presentation
at the Black Hat security conference last year, arguing that one way to
find bugs in Mac OS X would be to look for out-of-date open-source software
that ships with the Mac and then to scan that project's files.

"I told Apple about this backporting problem then and they didn't listen
and I didn't listen either, because we didn't find the bug by looking at changelogs,
we found it with source code analysis," Miller said.

Although the focus of the PWN2OWN contest was on zero-day flaws, the fact that
Miller exploited a flaw that was unpatched in Apple's products was enough to
earn him the prize, conference organizers say.

That's a good thing, because when asked if he planned to return the prize money,
Miller shot back the following: "No way. It's not my fault they don't fix
their bugs."

IDG News Service