A Patch Comparison

ISE's Charlie Miller responds to 'criticism'.

Get It Try It

'Since my talk the biggest complaint I've heard is that I didn't compare the speed at which other vendors released updates to patch vulnerabilities', writes ISE researcher Charlie Miller of his iPhone exploit, subsequent Black Hat briefing, and criticism of Apple's lax security procedures.

'I criticised Apple for failing to patch their open source components in a timely fashion (if at all).'

Charlie's now famous exploit of the iPhone took advantage of the fact that Safari used a version of the Perl Compatible Regular Expression library that was a whole year out of date. A major flaw was found and fixed in July 2006 - but Apple still hadn't got around to working in the new code a year later.

It was this outdated library Charlie and his team at ISE were able to exploit.

In his blog entry today Charlie makes a single comparison - between Apple and venerable Slackware and using the PCRE and the even more dangerously outdated Samba as examples.

PCRE
2007-07-05: PCRE 6.7 released, fixing two vulnerabilities (both cited by ISE)
2006-10-02: Slackware 11 released, incorporating PCRE 6.7
2007-07-31: Apple update PCRE (only because ISE planned to release the exploit and alerted Apple to the fact)

Samba
2007-05-14: Samba 3.0.25 released, fixing at least three vulnerabilities
2007-05-14: Slackware release updated Samba the same day
2007-07-31: Apple release updated Samba 2.5 months later

Digging Deeper

But the above only scratches the surface. PCRE version 7.0 was released on 19 December 2006; version 7.1 came out 24 April 2007; and 7.2 made it out the door 19 June 2007.

All of these could have been incorporated into Apple's security update 2007-07-31. They weren't.

And PCRE as of today (28 August) is now at version 7.3; Apple are still at version 6.7 - four versions behind.

What Else is More Important?

OpenBSD's Theo de Raadt's idea is that there are never exploits without bugs: if you find the bugs you find the exploits. For that reason he has a dozen auditors continually scouring OpenBSD for allocation and overflow errors, logical bombs - anything that isn't written correctly and might go south.

Many of the bugs found in the PCRE, in Samba, in the innumerable open source modules Apple use may be but clerical errors; but as Charlie Miller of ISE demonstrated they can also be far worse.

The code's already there on a silver platter; it needs only be wrapped into yet another security update; not surprisingly Apple customers are increasingly upset and asking Cupertino what else is easier or more important.

Cover Flow?