When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.
The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple’s Safari browser, which Miller hacked to win the contest.
Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed “zero-day” flaws.
In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.
Although Apple’s Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple’s computers.
Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.
In an e-mail interview, Miller confirmed that the bug he’d exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it “completely independently.”
Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.
It is very common for developers to incorporate someone else’s software library into their program and then not properly add all the latest bug fixes, said Dragos Ruiu, one of the organizers of the PWN2OWN contest.
However, Apple should have done a better job of staying on top of the software it was shipping. “This is a black mark on their security team, but it’s a common problem,” he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.
An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.
Ironically, Miller gave a presentation at the Black Hat security conference last year, arguing that one way to find bugs in Mac OS X would be to look for out-of-date open-source software that ships with the Mac and then to scan that project’s files.
“I told Apple about this backporting problem then and they didn’t listen and I didn’t listen either, because we didn’t find the bug by looking at changelogs, we found it with source code analysis,” Miller said.
Although the focus of the PWN2OWN contest was on zero-day flaws, the fact that Miller exploited a flaw that was unpatched in Apple’s products was enough to earn him the prize, conference organizers say.
That’s a good thing, because when asked if he planned to return the prize money, Miller shot back the following: “No way. It’s not my fault they don’t fix their bugs.”
Updated at 4:03 p.m. PT to correct the spelling of Dragos Ruiu’s name.