Questions for Pwn2Own hacker Charlie Miller

[FreewheelinFrank]

Interesting discussion on browser security:

VANCOUVER, BC — At the CanSecWest security conference here, I got a chance to sit down with Charlie Miller, the researcher who broke into a fully patched MacBook machine using a Safari code execution vulnerability.

We discuss the state of Web browser security, the vulnerability marketplace and the need for anti-exploit mitigations on modern operating systems.

http://blogs.zdnet.com/security/?p=2941

[polonus]

Hi FwF,

Good link, good write-up too there, surprised that Fx on Windows was so hard to be beaten and it was demonstrated that GoogleChrome or in my case SRWare's Iron built on the same code with the sandboxing is the way for all browsers to go eventually. Impressive,

pol

[Alan Baxter]

Interesting discussion on browser security:

Indeed.  I think it's time to stop bashing Windows security.

For all the browsers on operating systems, the hardest target is Firefox on Windows.  With Firefox on Mac OS X, you can do whatever you want.  There’s nothing in the Mac operating system that will stop you.

It’s clear that all three browsers (Safari, IE and Firefox) have bugs.  Code execution holes everywhere.   But that’s only half the equation.  The other half is exploiting it.  There’s almost no hurdle to jump through on Mac OS X.

The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

[polonus]

Hi Alan Baxter,

You are right there. Yes to exploit Fx on Windows (not to speak about Fx with security extensions like NoScript, Perpectives, RequestPolicy and Firekeepr) is a very hard thing to do. But it is harder on Vista then on XP that has been a proven fact. WFP has one layer on XP and a virus like virut can ruin the OS through abusing this feature, while on Vista it was not able to beat the next layer put on top of that another MUI protection of essential system files.

It is also a fact that MS took browser security seriously only when it got some good competition from alternate browsers like Fx/Flock (Flock still stands in case Fx has succumbed to malware) and the new sandboxing functionality of GoogleChrome (where I rather like to use the SRWare's Iron version without the Google privacy issues attached). I think this browser survived the hacking contest only because of that new feature making it very hard to exploit it. I think eventually it is the way for all browser security to go, a kind of virtual machine that you can throw away with the unwanted (malicious) content at shut-down of the browser,

polonus

[CharleyO]

***

An interesting read. Thanks for the link, Frank.   


***

[FreewheelinFrank]

I like this quote from the comments section:

Well, that is true. There are a lot of built in defenses that Windows enabled- data execution prevention, address space randomization and so forth that can be enabled with just compiler flags that are either not present in OS X or quite a bit watered down.

It just comes with the territory- Windows is the bank in a bad neighborhood. They have had folks stop by all the time to rob them so went from security cameras to bullet proof glass around the tellers, to security guards, and so forth. OS X is the bank in nice neighborhood- no one comes by to rob them so they just haven't felt a need to invest in security.

[Alan Baxter]

That's a great analogy, Frank.  Thanks for digging it out.

[FreewheelinFrank]

"Nils" gives his comment:

Legendary bank robber Willie Sutton was made famous for allegedly explaining why he robbed banks with the answer: "Because that's where the money is." So why do cyber crooks attack Web browsers? Because that's where the user is.

But maybe a more accurate answer is: "Because that's where the vulnerabilities are." At least, that was the answer given by a 25-year-old German computer science student known only as "Nils," who last week proudly showcased three brand new exploits for remotely hijacking the most popular Web browsers, including Firefox, Safari and the last beta release of Microsoft's Internet Explorer 8

http://voices.washingtonpost.com/securityfix/2009/03/mac_os_x_top_target_in_browser.html

[FreewheelinFrank]

Good question in the comments:

Pwn2Own
Did they get 'root' when Safari got exploited?

[FreewheelinFrank]

That's a great analogy, Frank.  Thanks for digging it out.

Looks like the bank (robbery) analogy has got legs.

[polonus]

Hi FwF,

Can't we say that Fx has lost the browser-war already against the makers of Google Chrome or that adaptation of it I personally like better, e.g. RSWare's Iron. Of course the latter browser does not have the extension tweak-ability like Firefox or Flock, but Firefox now in its development is like the Monster-truck that can't be stopped to take the most-needed-U-turn, they go on in the way set out before and in user friendliness and speed it lost out to the GoogleChrome or SrWare Iron browser. So the real innovation comes from another corner of the Open Source community and open standards. And there where "propriety-ish" aspects start to sink in, the users should alert to that. Building in a virtual machine was the golden idea, as where the cross-breed invention of Active-X was just the opposite, it meant disaster. GoogleChrome has now built-in protection through the newest Clamwin-av. If it came with ABP and NoScript I would have left the Fx browser immediately, but Google would not support the open source development of this aspect of its browser, because it has another agenda with the browser than enhanced user protection and user privacy concerns - ad-serving is their main source of income. But now we know in what way the new Open Standards browser should be developed,

polonus

[FreewheelinFrank]

Hi FwF,

Can't we say that Fx has lost the browser-war already against the makers of Google Chrome or that adaptation of it I personally like better, e.g. RSWare's Iron. Of course the latter browser does not have the extension tweak-ability like Firefox or Flock, but Firefox now in its development is like the Monster-truck that can't be stopped to take the most-needed-U-turn, they go on in the way set out before and in user friendliness and speed it lost out to the GoogleChrome or SrWare Iron browser. So the real innovation comes from another corner of the Open Source community and open standards. And there where "propriety-ish" aspects start to sink in, the users should alert to that. Building in a virtual machine was the golden idea, as where the cross-breed invention of Active-X was just the opposite, it meant disaster. GoogleChrome has now built-in protection through the newest Clamwin-av. If it came with ABP and NoScript I would have left the Fx browser immediately, but Google would not support the open source development of this aspect of its browser, because it has another agenda with the browser than enhanced user protection and user privacy concerns - ad-serving is their main source of income. But now we know in what way the new Open Standards browser should be developed,

polonus

No Chrome yet on Linux, so I can't say.