Apple's Safari will fall first at hacker contest, past winner predicts
Charlie Miller, who will defend his title this month, calls Safari 'an easy target'
Computerworld - Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today.
"It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.
"It might be because I'm biased about the things I'm good at, but it's the easiest browser [to hack]," Miller said.
PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, will pay $5,000 for each new bug successfully exploited in Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. IE8, Firefox and Chrome will be running on a Sony notebook powered by Windows 7, Microsoft's still-under-construction operating system, while Safari and Firefox will be available on a MacBook.
"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."
Another factor making Safari easy pickings, said Miller, is Apple's Mac OS X, which lacks the workable defenses found in Windows Vista and Windows 7, including address space randomization -- which Microsoft calls "address space layout randomization," or ASLR.
Put Safari atop Mac OS X, and the target's too good to pass up, said Miller.
IE8 and Firefox will escape unscathed, Miller predicted, adding that a quick cost-benefit analysis tells him they'll be safe. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said. As for Chrome, he pleaded ignorance, saying that he didn't know enough about the browser to even provide a prediction. His gut instinct, however, is that Google's browser will also survive.
Miller has also been sharpening his mobile device vulnerability and exploit skills -- he was the first researcher to uncover a security bug in Google's Android operating system -- and therefore will take a stab at the second PWN2OWN contest. That challenge will pit researchers against five smartphone operating systems, including Windows Mobile, Android, Symbian, and the operating systems used by the iPhone and BlackBerry. TippingPoint will pay double, or $10,000, for each bug exploited at the contest.
"I'll be trying to break Safari," said Miller. "If I say it's easy, I have to try, right? But I also want to show my stuff on mobile."
He declined to say which smartphone he will target. It's likely, however, that he'll be looking at the iPhone; Miller was one of three researchers who found the first iPhone vulnerability, just weeks after the device's mid-2007 debut.
Nor would Miller get specific about the vulnerabilities he has in mind or is investigating. "You pretty much have to show up [with a vulnerability and exploit] and be ready to go," said Miller. "The great thing about PWN2OWN is that it's not just about finding bugs, but about finding bugs that can be exploited, and then coming up with an exploit."
Miller works as a principal analyst at Independent Security Evaluators LLC, a security consulting firm, and said he is looking forward to the contest, which kicks off March 18. "I have to defend my championship, don't I?"
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts