The exploit used by Charlie Miller to take a $10,000 prize and MacBook Air was over a year old according to several online reports. Researcher Chris Evans discovered the flaw used in the CanSecWest contest originally, and reported it in November 2007. Charlie Miller spoke on the record to Robert McMillan of IDG News and confirmed the flaw Evans reported was the exact same one used at CanSecWest.
Exploit used to PWN MacBook was almost a year old. (IMG:J.Anderson)
The exploit used in the contest by Miller was related to PCRE (Perl Compatible Regular Expressions). PCRE is used in PHP, Apache, Nmap, KDE, Postfix, and according to Evans, Apple’s Safari Browser, and iPhone. The PCRE library is a set of functions that implement regular expression pattern matching. PCRE uses the same syntax and semantics as Perl 5, and comes with its own native API. Included in the library is a set of wrapper functions that correspond to the POSIX regular expression API. PCRE can be used in open source and commercial development.
Chris Evans issued an advisory on flaws in PCRE in November 2007. In the advisory, he pointed out that the flaw addressed was actually corrected in an earlier PCRE release in May. “…the problems noted here were actually fixed a while ago in v6.7. However, my colleague Tavis Ormandy has found multiple serious issues in recent versions. You really should use at least v7.3 if you need a secure PCRE,” Evans wrote.
According to an interview given by Miller to IDG, Apple shipped Safari with an out of date PCRE library. They patched the browser, correcting the CanSecWest exploit this month. However, CanSecWest organizer Dragos Rui told IDG that it is all too common to see a commercial product ship with libraries like this but not implement the latest and most secure version. “This is a black mark on their security team, but it's a common problem,” he said, pointing out previous issues with zlib and JPEG compression.
IGD reports that the contest, aimed at 0-Day flaws, considered Millers attempt to be valid as the vulnerability, even if it was publicly known, was unpatched. Another interesting note is that another flaw in PCRE allowed Miller to crack the iPhone last year.
Is this type of security flaw a process that can be corrected by the vendor? Certainly, Apple could have updated PCRE with Safari a long time ago, and it was someone on the Apple security team that dropped the ball on this issue. However, Apple is not alone in this case; other vendors have shipped software packages using open source applications that were seriously in need of patching.
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!