Enterprise Newsletter
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO Blogs and Discussion
 CIO Web 2.0
 CIO Leader
 CIO Enterprise
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Mid-Market CIO Panel: Strategies for Improving Vendor Relationships — presentation and summary

Mid-market CIOs and their strategic IT vendors experience a lingering disconnect and often disappointing relations. But there is a growing mutual interest to forge stronger partnerships in preparation for economic recovery. Download the presentation and summary from the July 15 panel call at: http://cioec.com/s/ye3mmr

Mid-Market CIO/IT Vendor Relations Playbook — FREE EXCERPT

This is an excerpt, essentially the first 10 pages, of the 45-page Playbook, which offers experiences from CIOs at over 100 mid-market companies on how CIOs and their IT vendors can build better partnerships.

Secrets of Successful Vendor Contract Negotiations for the Mid-Market

Sept. 16, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)

On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.

Executive Competencies Assessment Tool

Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
News
 

Mac Hack Contest Bug had Been Public for a Year

When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.

 

By Robert McMillan

April 21, 2008 — IDG News Service —

When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.

The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple's Safari browser, which Miller hacked to win the contest.

Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed "zero-day" flaws.

In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.

Although Apple's Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple's computers.

Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.

In an e-mail interview, Miller confirmed that the bug he'd exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it "completely independently."

Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.

It is very common for developers to incorporate someone else's software library into their program and then not properly add all the latest bug fixes, said Dragos Rui, one of the organizers of the PWN2OWN contest.

However, Apple should have done a better job of staying on top of the software it was shipping. "This is a black mark on their security team, but it's a common problem," he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.

An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.

 
 
Loading...
 
WHITE PAPERS

Business Service Management Success

This white paper examines BSM essentials that are often overlooked.
 

Enhance Application Quality

Evaluate application mining tools for your own business case.
 

Virtual Tape Solutions

Learn how you can slash up to 30% of your mainframe storage costs while dramatically improving recovery time.
 

Red Hat Enterprise Linux: The Ideal Solution

Learn why Red Hat Enterprise Linux is the ideal solution for enterprises that are facing Sun and SPARC's uncertain future.
 

Web Enabled ECM Solutions

Learn how to address enhanced security requirements and provide long-lasting cost-savings benefits.
 

Global Change in the TV Industry

Capgemini and MediaXchange have captured key insight to the change across the TV industry.
 

WEBCASTS

Capitalize on Your SAP Content

After 18 years of partnership and over 3,000 successful customer deployments, Open Text has become SAP's premier pa...
 

Increasing Profitability with the Sun Glassfish Portfolio

Sun Glassfish Portfolio
 

Managing Client Systems in the Enterprise

Keeping client systems costs under control is just one of the many initiatives IT must address when trying to manag...
 

Webcast with Dan Vesset: Investing in Business Analytics Technology

What exactly is business analytics and why should you care? Dan Vesset of IDC and Gaurav Verma of SAS answer this a...
 

Enterprise Cloud Computing: Ready for Primetime?

The progression toward enterprise cloud computing is happening today, as industry leaders deploy technologies that ...
 

Preparing Your Business Services for the Future

Would you trust your network monitoring tools enough to know when something is truly halting a business service? Wh...
 

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Web-based Collaboration and the Road to Compliance

Enterprise Content Management (ECM) Best Practices

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Using Open Source to Deploy Web Applications

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

White Paper: 8 Key Ingredients to Building an Internal Cloud

Software Executives: Take Control of Your Organization's Code Quality

Craft a Strategy to Lower Your Total Cost of Ownership

A Natural User Interface for Enterprise Applications

On-Demand HR for a Global Organization

Four steps to populate your CMDB.

Delivering Secure and Reliable Data through Spreadsheet Automation

Open Source BI: Inexpensive Solutions for Developers

Gartner Shares Predictions for 2009

Save BIG $$$ Fast. Take Xythos for a spin - FREE test drive Try ECM from Xythos Today.

Trade-In your old printer and save up to $1,000 plus free recycling!

Reduce risk, gain agility. See how Progress can help your business.

64-page prescriptive guide to security, compliance, and IT operations.

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn best practices for successfully implementing BI technology.

Executive Guide: IT Governance and Risk Management

Revolutionizing Enterprise Application Deployment

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Top-line Performance that's Bottom-line Efficient

How Open Source is Changing the Face of Enterprise Software

Oracle's Application Grid Technical Demo

Next Generation Enterprise Applications

A Truly Global HCM System

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

Financial Institutions Need Rich Internet Applicatons

Forrester: Implementing Rich Internet Applications

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

Think you can't afford a Cisco Switch? Cisco Catalyst Switches are now more affordable.

Enterprise Payment Security 2.0. What you can do to get your company on track.

Improve ROI, lower TCO and reduce energy consumption.

Get Google Enterprise Search for your business information.

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Accenture IT Consulting: Logical meets technological. More . . .

The Fraudster Economy Model: Operating a Business in the Underground