Last month a Macbook Air was hacked very quickly…you may have heard of it. Well, it turns out that the “zero-day” exploit in Apple’s Safari browser was actually found in the open-source software library called Perl Compatible REgular Expressions or PCRE, which is used by many products including Safari, Apache, and more.
Security researcher Chris Evans told PC World that he found the bug and publicly disclosed it in November 2007. PCRE developers then fixed the bug months earlier – writing an incomplete fix for the issue in May 2007. Which means as early as May of last year an astute hacker could have dug around into this code and found an exploit that they would have been able to capitalize on for almost a full 12 months.
Apple did not patch its version of the library even after this became public knowledge. Someone in Apple’s security department must not have been paying terribly close attention. While I find it slightly upsetting that they didn’t fix this obvious hole when it became public knowledge, it becomes even more upsetting that it took almost a month after the public hacking of a Macbook Air using this exploit for Apple to actually patch it – even though the patch was already out there, and ready to go.
It shouldn’t take that long for something like this to be patched, and its obvious that someone on Apple’s security team dropped the ball here. Hopefully, in the future, these things will be caught a bit quicker – because as the Mac becomes a more popular platform, it is quickly reaching a point where it can, and will, be a target by hackers…and I have a feeling our days of being “worry free” about viruses and spyware may soon be coming to an end.