When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.

The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple's Safari browser, which Miller hacked to win the contest.

Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed "zero-day" flaws.

In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.

Although Apple's Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple's computers.

Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.

In an e-mail interview, Miller confirmed that the bug he'd exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it "completely independently."

Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.

It is very common for developers to incorporate someone else's software library into their program and then not properly add all the latest bug fixes, said Dragos Rui, one of the organizers of the PWN2OWN contest.

However, Apple should have done a better job of staying on top of the software it was shipping. "This is a black mark on their security team, but it's a common problem," he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.

An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.