Apple's Safari will fall first at hacker contest, past winner predicts
Charlie Miller, who will defend his title this month, calls Safari 'an easy target'
Computerworld - Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today.
"It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.
"It might be because I'm biased about the things I'm good at, but it's the easiest browser [to hack]," Miller said.
PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, will pay $5,000 for each new bug successfully exploited in Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. IE8, Firefox and Chrome will be running on a Sony notebook powered by Windows 7, Microsoft's still-under-construction operating system, while Safari and Firefox will be available on a MacBook.
"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."
Another factor making Safari easy pickings, said Miller, is Apple's Mac OS X, which lacks the workable defenses found in Windows Vista and Windows 7, including address space randomization -- which Microsoft calls "address space layout randomization," or ASLR.
Put Safari atop Mac OS X, and the target's too good to pass up, said Miller.
IE8 and Firefox will escape unscathed, Miller predicted, adding that a quick cost-benefit analysis tells him they'll be safe. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said. As for Chrome, he pleaded ignorance, saying that he didn't know enough about the browser to even provide a prediction. His gut instinct, however, is that Google's browser will also survive.
Miller has also been sharpening his mobile device vulnerability and exploit skills -- he was the first researcher to uncover a security bug in Google's Android operating system -- and therefore will take a stab at the second PWN2OWN contest. That challenge will pit researchers against five smartphone operating systems, including Windows Mobile, Android, Symbian, and the operating systems used by the iPhone and BlackBerry. TippingPoint will pay double, or $10,000, for each bug exploited at the contest.
"I'll be trying to break Safari," said Miller. "If I say it's easy, I have to try, right? But I also want to show my stuff on mobile."
He declined to say which smartphone he will target. It's likely, however, that he'll be looking at the iPhone; Miller was one of three researchers who found the first iPhone vulnerability, just weeks after the device's mid-2007 debut.
Nor would Miller get specific about the vulnerabilities he has in mind or is investigating. "You pretty much have to show up [with a vulnerability and exploit] and be ready to go," said Miller. "The great thing about PWN2OWN is that it's not just about finding bugs, but about finding bugs that can be exploited, and then coming up with an exploit."
Miller works as a principal analyst at Independent Security Evaluators LLC, a security consulting firm, and said he is looking forward to the contest, which kicks off March 18. "I have to defend my championship, don't I?"
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts