Safari Hack exploit was public for almost a full year

hero_mac20080318.png

Last month a Macbook Air was hacked very quickly…you may have heard of it. Well, it turns out that the “zero-day” exploit in Apple’s Safari browser was actually found in the open-source software library called Perl Compatible REgular Expressions or PCRE, which is used by many products including Safari, Apache, and more.

Security researcher Chris Evans told PC World that he found the bug and publicly disclosed it in November 2007. PCRE developers then fixed the bug months earlier – writing an incomplete fix for the issue in May 2007. Which means as early as May of last year an astute hacker could have dug around into this code and found an exploit that they would have been able to capitalize on for almost a full 12 months.

Apple did not patch its version of the library even after this became public knowledge. Someone in Apple’s security department must not have been paying terribly close attention. While I find it slightly upsetting that they didn’t fix this obvious hole when it became public knowledge, it becomes even more upsetting that it took almost a month after the public hacking of a Macbook Air using this exploit for Apple to actually patch it – even though the patch was already out there, and ready to go.

It shouldn’t take that long for something like this to be patched, and its obvious that someone on Apple’s security team dropped the ball here. Hopefully, in the future, these things will be caught a bit quicker – because as the Mac becomes a more popular platform, it is quickly reaching a point where it can, and will, be a target by hackers…and I have a feeling our days of being “worry free” about viruses and spyware may soon be coming to an end.

Comments

  1. “… because as the Mac becomes a more popular platform, it is quickly reaching a point where it can, and will, be a target by hackers…and I have a feeling our days of being “worry free” about viruses and spyware may soon be coming to an end.” … FUD!

    So which (anti) virus SW company do you work for?

    TBM

  2. @TBM

    You don’t have to face reality if you don’t want to TBM, but there will come a day when there are viruses and spyware on Macs if Apple doesn’t do a better job patching up holes.

    There will always be holes in software, its how quickly they are patched that determine whether malicious software gets out into the wild.

  3. Agreed, but they have been saying that same thing for >6 years! Still nothing!

    I develop SW and know that OS X is light years above and beyond the Windows monstrosity! Apple should respond much, much faster but there was still not a single reported case of an exploit in the wild with this vulnerability.

    Every few months an “industry insider” (read as an (anti)virus expert) gets an article published about the impending doom Mac users face and how they will inevitably have to cave in and buy (their) anti-virus SW. I have 4-Macs (1-intel and 3 PPC) and a FBSD server in my house and not one virus infection in the last 8+ years (since I throughout my Win 98 PC).

    TBM

  4. @TBM

    I understand, but that doesn’t make me a corporate lackey. :P

    The truth is, one day it will happen. I’m not telling anyone to buy virus software right now. I’m just saying that if Apple doesn’t take the time and responsibility to get this kind of stuff patched when its out in the wild, it’s going to happen.

Speak Your Mind

*