Apple's Safari will fall first at hacker contest, past winner predicts
Charlie Miller, who will defend his title this month, calls Safari 'an easy target'
Computerworld - Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today.
"It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.
"It might be because I'm biased about the things I'm good at, but it's the easiest browser [to hack]," Miller said.
PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, will pay $5,000 for each new bug successfully exploited in Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. IE8, Firefox and Chrome will be running on a Sony notebook powered by Windows 7, Microsoft's still-under-construction operating system, while Safari and Firefox will be available on a MacBook.
"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."
Another factor making Safari easy pickings, said Miller, is Apple's Mac OS X, which lacks the workable defenses found in Windows Vista and Windows 7, including address space randomization -- which Microsoft calls "address space layout randomization," or ASLR.
Put Safari atop Mac OS X, and the target's too good to pass up, said Miller.
IE8 and Firefox will escape unscathed, Miller predicted, adding that a quick cost-benefit analysis tells him they'll be safe. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said. As for Chrome, he pleaded ignorance, saying that he didn't know enough about the browser to even provide a prediction. His gut instinct, however, is that Google's browser will also survive.
Miller has also been sharpening his mobile device vulnerability and exploit skills -- he was the first researcher to uncover a security bug in Google's Android operating system -- and therefore will take a stab at the second PWN2OWN contest. That challenge will pit researchers against five smartphone operating systems, including Windows Mobile, Android, Symbian, and the operating systems used by the iPhone and BlackBerry. TippingPoint will pay double, or $10,000, for each bug exploited at the contest.
"I'll be trying to break Safari," said Miller. "If I say it's easy, I have to try, right? But I also want to show my stuff on mobile."
He declined to say which smartphone he will target. It's likely, however, that he'll be looking at the iPhone; Miller was one of three researchers who found the first iPhone vulnerability, just weeks after the device's mid-2007 debut.
Nor would Miller get specific about the vulnerabilities he has in mind or is investigating. "You pretty much have to show up [with a vulnerability and exploit] and be ready to go," said Miller. "The great thing about PWN2OWN is that it's not just about finding bugs, but about finding bugs that can be exploited, and then coming up with an exploit."
Miller works as a principal analyst at Independent Security Evaluators LLC, a security consulting firm, and said he is looking forward to the contest, which kicks off March 18. "I have to defend my championship, don't I?"
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- Protecting Point of Sale Systems from Targeted Attack
- If you are responsible for protecting retail systems, download this case study to learn how this retailer eliminated the threat of malware on...
- From the Frontline - Preventing APT
- Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
- Stop Hackers Before They Attack
- Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
- The four rules of complete web protection
- As an IT manager you've always known the web is a dangerous place. But with infections growing and the demands on your time... All Cybercrime and Hacking White Papers
- Live Webcast
North Pole to South Seas: Overcoming the Pitfalls of remote Performance - In today's always-on world, connectivity is a business requirement. You need the tools that allow you to operate as if you were on...
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Live Webcast
Banish Poor Application Performance: Eliminate Business Disruptions, Increase End User Productivity - End User Experience, 30-Min Webinar
Wed. Feb. 22nd ~ 11 AM ET
Are you ready to gain the proactive ability to rapidly respond... - WikiLeaks: How am I Affected?
- The latest WikiLeaks episode has raised questions about how organizations and governments protect their sensitive information. While this incident was isolated, it has...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Cybercrime and Hacking Webcasts