Hack a Mac...
April 2008
Mac hack contest bug had been public for a year. The winner of last month’s PWN2OWN contest to install unauthorized software on a machine running a fully patched version the Mac OS X operating system exploited a flaw that had been publicly disclosed nearly a year before the contest. The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple’s Safari browser, which a person hacked to win the contest. In an e-mail interview, a security researcher said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product. Although Apple’s Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple’s computers. Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit. In an e-mail interview, the contest winner confirmed that the bug he had exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it “completely independently.”
Mac hack contest bug had been public for a year. The winner of last month’s PWN2OWN contest to install unauthorized software on a machine running a fully patched version the Mac OS X operating system exploited a flaw that had been publicly disclosed nearly a year before the contest. The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple’s Safari browser, which a person hacked to win the contest. In an e-mail interview, a security researcher said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product. Although Apple’s Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple’s computers. Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit. In an e-mail interview, the contest winner confirmed that the bug he had exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it “completely independently.”
posted by arkietechs at 1:39 PM
0 Comments:
Post a Comment
<< Home