About | Buy Stuff | Industry Watch | Learning Curve | Products | Search | Twitter
Home » Industry WatchThe Technological) (» Hall of Monkeys) (» Heroes Banquet)

Black Apples

Not even Charlie believed they'd be this arrogant and irresponsible.


Buy It

Try It

Charlie Miller's hack at CanSecWest used the same attack vector as his exploit of the iPhone a year ago. Even Charlie didn't believe Apple would still be slacking off here. But the opening he found was already accessible to Apple and in typical fashion Apple decided to do absolutely nothing about it.

Google Security

Chris Evans of the Google Security team found the bug a year ago. Bad regular expressions can cause calculation overflows.

/* Compute the size of data block needed and get it, either from malloc or externally provided function. */

size = length + sizeof(real_pcre) + name_count * (max_name_size + 3);
re = (real_pcre *) (pcre_malloc) (size);

Chris Evans offers the following for a crash demo.

(?P)(?P<0>)(?P<1>)...fill in this sequence...(?P<3999>)

More Trouble

But there's more. Here's another example Evans cites where bad regexes can cause overflows.

if (min == 0)
    {
    length++;
    if (max > 0) length += (max - 1) * (duplength + 3 + 2*LINK_SIZE);
    }
...
    else
    {
    length += (min - 1) * duplength;
    if (max > min)   /* Need this test as max=-1 means no limit */
      length += (max - min) * (duplength + 3 + 2*LINK_SIZE)
        - (2 + 2*LINK_SIZE);
    }

Chris Evans found these flaws in a Google module a year ago and released his advisory on 7 November 2007.

Apple did next to nothing.

Common Pool

Chris Evans told the PCRE people about the bug before the release of version 6.7. Only after Charlie Miller humiliated iPhone security did Apple rush to finally patch their PCRE component. But what's interesting is how open source software propagates inside Cupertino. Or doesn't. It's sort of like a 'pool' - not everyone keeps an eye on things.

It's namely the WebKit people who are the direct conduit to PCRE; the rest of the ace programmers in the Bloop get their PCRE code from a 'forked' version the WebKit people make; and as everybody knows it takes little time to copy in a ready to go open source module but way too much time to first paint it beige before deploying it.

No Comment!

Representatives of Apple's WebKit team have been approached and asked to explain how a gaffe like this could happen. Their only comment so far has been a blank 'no comment' - a rather novel approach for an 'open source' team to say the least.

Black Mark

Apple did a bad job of keeping their products secure, says Dragos Ruiu of PWN2OWN. 'This is a black mark on their security team.'

Indeed. But the root cause is not the security people themselves. Instead it's the way software production is currently organised under Bertie.

Charlie's Higher Thoughts

Even Charlie Miller didn't think Apple would be this arrogant and irresponsible: a year earlier he showed Apple - and the world - how easy it was to hack into Apple software. Could Apple a full year later still do nothing about their great weakness? Charlie didn't give it a thought.

'I told Apple about this backporting problem then and they didn't listen and I didn't listen either, because we didn't find the bug by looking at changelogs, we found it with source code analysis', Charlie told IDG's Robert McMillan.

Caveat Apple Software User

What users of Apple's operating system have to keep in mind is that this exploit - as countless others - was 'out there' a year before Apple acted on it. And they only acted on it because Charlie Miller again caught them with their knickers down.

What users of Apple's operating system have to keep in mind is that although Unix is more secure than Windows will ever be bugs are found in countless modules being added all the time and 'postmodern hackers' aren't in it for fun or to create a widespread epidemic. Apple make it too easy for them to hack you right now without your knowing it.

What users of Apple's operating system have to keep in mind is that Apple's counterpart to Microsoft's 'Patch Tuesday' with fixes once per month is in some cases more like 'Patch 2008' with fixes once per year (if that). And although hackers on the Windows side have one month to rush into the gaps hackers on the Apple side can have all the time in the world.

What users of Apple's operating system have to keep in mind is that although Charlie Miller is great he's never necessarily the first.

What users of Apple's operating system have to keep in mind is that this is not the way open source is supposed to work. The rest of the open source community keep up to date really fast - and before they reveal where those bugs have been most hackers won't know of them.

But Apple continue to be:

  • Insular;
  • Secretive;
  • Hostile to true 'open source' thinking;
  • Bloody obsessed with their pathetic beige box which died ten years ago.

Apple continue to rig the game and play 'bait and switch' and it's their users who pay the price.

See Also
Rixstep's Industry Watch: Two Minute Toast
Chris Evans/Scary Beasts: CESA-2007-006 PCRE Integer/Buffer Overflows
Robert McMillan/IDG News: Mac Hack Contest Bug Had Been Public for a Year

About | Buy Stuff | Industry Watch | Learning Curve | Products | Search | Twitter
Copyright © Rixstep. All rights reserved.