Apple's Safari will fall first at hacker contest, past winner predicts

Computerworld - Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today.

"It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.

"It might be because I'm biased about the things I'm good at, but it's the easiest browser [to hack]," Miller said.

PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, will pay $5,000 for each new bug successfully exploited in Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. IE8, Firefox and Chrome will be running on a Sony notebook powered by Windows 7, Microsoft's still-under-construction operating system, while Safari and Firefox will be available on a MacBook.

"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."

Another factor making Safari easy pickings, said Miller, is Apple's Mac OS X, which lacks the workable defenses found in Windows Vista and Windows 7, including address space randomization -- which Microsoft calls "address space layout randomization," or ASLR.

Put Safari atop Mac OS X, and the target's too good to pass up, said Miller.

IE8 and Firefox will escape unscathed, Miller predicted, adding that a quick cost-benefit analysis tells him they'll be safe. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said. As for Chrome, he pleaded ignorance, saying that he didn't know enough about the browser to even provide a prediction. His gut instinct, however, is that Google's browser will also survive.

Miller has also been sharpening his mobile device vulnerability and exploit skills -- he was the first researcher to uncover a security bug in Google's Android operating system -- and therefore will take a stab at the second PWN2OWN contest. That challenge will pit researchers against five smartphone operating systems, including Windows Mobile, Android, Symbian, and the operating systems used by the iPhone and BlackBerry. TippingPoint will pay double, or $10,000, for each bug exploited at the contest.

"I'll be trying to break Safari," said Miller. "If I say it's easy, I have to try, right? But I also want to show my stuff on mobile."

He declined to say which smartphone he will target. It's likely, however, that he'll be looking at the iPhone; Miller was one of three researchers who found the first iPhone vulnerability, just weeks after the device's mid-2007 debut.

Nor would Miller get specific about the vulnerabilities he has in mind or is investigating. "You pretty much have to show up [with a vulnerability and exploit] and be ready to go," said Miller. "The great thing about PWN2OWN is that it's not just about finding bugs, but about finding bugs that can be exploited, and then coming up with an exploit."

Miller works as a principal analyst at Independent Security Evaluators LLC, a security consulting firm, and said he is looking forward to the contest, which kicks off March 18. "I have to defend my championship, don't I?"