Apple + Security & Privacy

Last month, we reported about a Mac hack contest where a Mac was hacked in two minutes flat. Initial reports suggested that the security researcher, Charlie Miller, who hacked the Mac, had discovered the vulnerability used just a couple of weeks before the contest. Well, Macworld reports that this flaw had been made public in November 2007, and Apple had not patched it, allowing Miller to discover it “completely independently”.

The flaw in question affects the open-source PCRE software library, which is used by Safari. Developers corrected the flaw quickly, but Apple didn’t update the library until last week. Whether or not Miller actually discovered this flaw on his own, it shows one of the big problems of Mac OS X, and its reliance one third-party software: many flaws and vulnerabilities may be quickly fixed by the developers of this software, but it often takes Apple months to roll the fixes into Mac OS X. Astute hackers can easily find out what has been fixed in the underlying software, and be aware that Apple likely hasn’t fixed it as quickly, leading to vectors of attack against Macs.