Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Mid-Market CIO Panel: Strategies for Improving Vendor Relationships — presentation and summary
Mid-market CIOs and their strategic IT vendors experience a lingering disconnect and often disappointing relations. But there is a growing mutual interest to forge stronger partnerships in preparation for economic recovery. Download the presentation and summary from the July 15 panel call at: http://cioec.com/s/ye3mmr
Mid-Market CIO/IT Vendor Relations Playbook — FREE EXCERPT
This is an excerpt, essentially the first 10 pages, of the 45-page Playbook, which offers experiences from CIOs at over 100 mid-market companies on how CIOs and their IT vendors can build better partnerships.
Secrets of Successful Vendor Contract Negotiations for the Mid-Market
Sept. 16, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)
On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.
Executive Competencies Assessment Tool
Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.
Learn more about the CIO Executive Council »Apply today for a FREE subscription to CIO Magazine!
April 21, 2008 — IDG News Service —
When Charlie Miller won US$10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest.
The flaw, it turns out, lay in an open-source software library called the Perl Compatible Regular Expressions (PCRE) library, which is used by many products including Apache, the PHP scripting language, and Apple's Safari browser, which Miller hacked to win the contest.
Miller won $10,000 and a new Macbook Air last month after hacking into the laptop in a matter of minutes. The PWN2OWN contest invited hackers to try to install unauthorized software on fully patched Mac OS X, Windows and Linux computers using previously undisclosed "zero-day" flaws.
In an e-mail interview, security researcher Chris Evans said he found the bug, which he publicly disclosed in November 2007. PCRE developers fixed the bug months earlier while writing an incomplete fix for the issue in the May 2007 PCRE 6.7 product, Evans said.
Although Apple's Safari browser uses the PCRE software library, the company did not patch its version of the library until late last week. That means that an astute hacker who had noticed the fix in PCRE 6.7 would have been given an early tip on how to hack into Apple's computers.
Discovering a software bug is the first step toward figuring out how to use that flaw in an attack, but not every flaw leads to a successful exploit.
In an e-mail interview, Miller confirmed that the bug he'd exploited was the same one that was patched in PCRE 6.7, but said that researchers at his company, Independent Security Evaluators, had found it "completely independently."
Miller found another PCRE bug that allowed him to be the first hacker to break into the iPhone after it was launched last year.
It is very common for developers to incorporate someone else's software library into their program and then not properly add all the latest bug fixes, said Dragos Rui, one of the organizers of the PWN2OWN contest.
However, Apple should have done a better job of staying on top of the software it was shipping. "This is a black mark on their security team, but it's a common problem," he said. The same kind of issue has popped up frequently with products that use the zlib and JPEG compression libraries, he added.
An Apple representative could not immediately comment for this story, saying that he would have to first research the issue.