With the infamous PWN2OWN contest drawing ever closer, the heat is ramping up. This year’s instalment pitches Apple’s Safari (on the Mac), Google’s Chrome, Internet Explorer 8, and Firefox (all on Windows 7) against one another, while also allowing crackers to take on mobile platforms. Last year’s winner, Charlie Miller, who won by cracking Mac OS X within minutes last year, says Safari on the Mac will be the first to fall.
“It’s an easy target,” Miller stated, “Apple’s products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats. With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is.” He also added that what makes Safari an even more attractive target is the fact that it runs on Mac OS X, which he states lacks several security features that Windows Vista and Windows 7 do have, such as address space randomisation. “Put Safari atop Mac OS X, and the target’s too good to pass up,” he said.
Miller also said that he believes Internet Explorer 8 and Firefox will survive the contest unscathed. He is not sure about Google’s Chrome, since he’s not too familiar with the browser, but he believes it won’t be cracked either.
Miller is not some random cracker – he has an impressive list of exploits he has uncovered, such as the first exploit on the iPhone, just weeks after its launch, as well as the first one on Google’s Android platform. As such, he will also take a stab at the mobile part of the contest, which pits Symbian, the iPhone, Windows Mobile, Android, and Blackberry against one another. He didn’t say which platform he’d target, but my guess is it would be either Android or the iPhone, seeing his past successes on these platforms.
The PWN2OWN contest will start March 18. Each uncovered exploit in the browser contest will raise 5000 USD, while the mobile contest will raise 10000 USD. Whether or not Miller’s predictions come true remains to be seen, but his track record proves he knows what he’s talking about. While I generally like the PWN2OWN contest, I do have to wonder why they chose Windows 7 – it’s in beta, after all. Sadly, it’s not possible to create a level playing field by using the latest Snow Leopard seed.
The title of this post is really misleading. You’re using “:” as “predicts” when it could easily mean “says” or “reports”. I would change it to “predicts”.
The title was pretty clear that Miller was making a comment. The article goes on to explain that the statement was a prediction. It’s best not to nit pick about these things though.
The title does appear to speaking the past-tense, though. I would personally change it to something along the lines of:
“Safari on Mac First to Fall During PWN2OWN Contest,” Charlie Miller predicts
(assuming the headline is a direct quote, that is).
No Opera? come on.
anyways FireFox will be the next to go after safari. there are a few exploits (known to the core devs) that I am sure others now about but haven’t publicly disclosed. Crome is a true toss up, its new enough to not be stress tested by the industry, but that also makes it a little harder to exploit (lack os knowledge).
as for the mobile stuff, Win Mobile is based still on IE6, it will go down fast.
Yeah! Why not Opera too???
The simple fact is that if he(they) can’t get Firefox or Chrome, there’s no way in hell they’ll get Opera.
Remember, it’s easy targets he’s going for and Opera wouldn’t be easy. Opera is like Linux, not worth the time according this this guy.
Edited 2009-03-06 00:07 UTC
…maybe they should test Safari 4 instead of Safari 3? I suppose the reason they’re using Windows 7 is because we all really know that Windows 7 is what Vista was supposed to be, they just needed to get something out the door to shut people up so they shovelled out the … Vista.
Who said they weren’t testing Safari4? Nobody said otherwise. Nice assumption you have made there (congratulations).
Secondly, the only real objections being made against Vista was UAC (which is no different to policykit in Linux and equally as annoying), the speed (because at the time, most people had integrated graphics cards which couldn’t support aero) and the drivers (which isn’t Microsoft’s fault). The biggest change made in Windows 7 is the perception by the crowd. Whilst every Vista owner agrees there are some nice changes, overall, the difference this time is mainly that people are walking in with a possible attitude. The most vocal people this time seem to be WindowsXP users, not Vista users.
I tend to agree with this articles conclusions though. Leopard server really proved it to me. Mrhasbean, FYI, Apple QA is so bad that nothing in Mac OSX Leopard Server worked properly on the first release. It was in fact less stable, and less usable then early Vista Betas. I am not joking, Apache worked, but everything else had serious problems (and even the Apple Fax modem froze Leopard server). And no, I wasn’t the only person who found it to be so. It really showed to me some of Apple’s QA skills.
Other things that clearly showed that QA at apple sucks is :
– Airport constantly breaking in 10.4.x. It rarely worked perfectly for anyone
– Network (Finder) constantly breaking entirely in 10.4.x. Never found anyone where it worked well..
– Radius being mostly unusable in early 10.5.x (might be fixed by now)
– A spammer sent us an email once to the sales mailing list. Every 10.5.1 Mail client instantly became unusable. I had to clear the emails off each account on the server manually (in fact, that worries me because some of our clients were running hundreds of Mac’s).
– Apple discourages good security practices.. They prefer to pretend as though OSX isn’t vulnerable to anything
– Safari isn’t really known for its stability..
Safari will die first, but #2 is certainly open for debate. Firefox I believe is moving forward so rapidly, and is becoming so broad-scoped that it has a good chance of breaking soon after Safari.
IE progress is so incredibly slow (and it has been combed over so many times by so many hackers), that I think it will be cracked, but not that quickly honestly. That’s not a good thing though. IE8’s getting closer to standards compliance, but the difference is the same between a Segway and a Ferrari really. But I must agree some of the new IE8 features do look nice (although, its still not enough for me).
“Airport constantly breaking in 10.4.x. It rarely worked perfectly for anyone ”
Never had a problem with Airport.
“Network (Finder) constantly breaking entirely in 10.4.x. Never found anyone where it worked well.. ”
Worked most of the time for me, works all the time until now with Leopard.
“Radius being mostly unusable in early 10.5.x (might be fixed by now) ”
No problem with it, but i understand that some may have issues.
“A spammer sent us an email once to the sales mailing list. Every 10.5.1 Mail client instantly became unusable. I had to clear the emails off each account on the server manually (in fact, that worries me because some of our clients were running hundreds of Mac’s). ”
Never had that, never heard similar case.
“Apple discourages good security practices.. They prefer to pretend as though OSX isn’t vulnerable to anything ”
Really? You don’t know what you are talking about:
http://www.usenix.org/events/lisa08/tech/hubbard_talk.pdf
http://images.apple.com/server/macosx/docs/Leopard_Server_Security_…
http://images.apple.com/server/macosx/docs/Leopard_Security_Config_…
“Safari isn’t really known for its stability.. ”
What the proof of that?
“Other things that clearly showed that QA at apple sucks is : ”
Yes sure:
http://www.insanely-great.com/news.php?id=10167
So question? Why don’t you stop trolling?
“It’s an easy target,” Miller stated, “Apple’s products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats. With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is.”
Miller says again non sense in his usual anti apple speech. Should i recall that the flaw that he exploited last year was not a specific Safari issue but a webkit (already then used by a lot of other projects) issue that he knew it existed since the issue was related to a flaw in the PCRE library originally derived from Perl. The issue was public and he just had to go to see the source code of webkit to check if it was affected. And yes it was, but he didn’t do anything amazing, he had the source code, that’s after all the benefit of open source code, bugs can be found in a easier way.
So that really makes completely pointless what he is saying now, this is just anti Apple crap.
No i am sure that someone here will say me, yeah but the flaw was in webkit, Apple was responsible of it, bla, bla. Actually even if you could argue that the webkit team should have found the issue before it was discovered as the PCRE code was refactorized in webkit, the bug was not introduced by webkit, but indeed was present in PCRE well before.
The issue was present in webkit in the file pcre_compile.cpp, the code correction was:
before:
if (maxRepeats > 0) length += (maxRepeats – 1) * (duplength + 3 + 2 * LINK_SIZE);
after:
if (maxRepeats > 0) {
repeatsLength = multiplyWithOverflowCheck(maxRepeats – 1, duplength + 3 + 2 * LINK_SIZE);
if (repeatsLength < 0) {
errorcode = ERR16;
return -1;
}
length += repeatsLength;
if (length > MAX_PATTERN_SIZE) {
errorcode = ERR16;
return -1;
}
}
and
before:
length += (minRepeats – 1) * duplength;
if (maxRepeats > minRepeats) /* Need this test as maxRepeats=-1 means no limit */
length += (maxRepeats – minRepeats) * (duplength + 3 + 2 * LINK_SIZE)
– (2 + 2 * LINK_SIZE);
after:
repeatsLength = multiplyWithOverflowCheck(minRepeats – 1, duplength);
if (repeatsLength < 0) {
errorcode = ERR16;
return -1;
}
length += repeatsLength;
if (maxRepeats > minRepeats) { /* Need this test as maxRepeats=-1 means no limit */
repeatsLength = multiplyWithOverflowCheck(maxRepeats – minRepeats, duplength + 3 + 2 * LINK_SIZE);
if (repeatsLength < 0) {
errorcode = ERR16;
return -1;
}
length += repeatsLength – (2 + 2 * LINK_SIZE);
}
if (length > MAX_PATTERN_SIZE) {
errorcode = ERR16;
return -1;
}
Plus some other lines of codes were added to implements those changes. The issue was that Regular expressions with large nested repetition counts can have their compiled length calculated incorrectly and the corrected code was to check for overflow when dealing with nested repetition counts and bail with an error rather than returning incorrect results.
Then by checking the code in the original PCRE, say the version 6.5, you could see those lines of code in pcre_compile.c (again the original code was refactorized in C++ in webkit but here it does not matter, the code meaning related to the issue is the same in C or C++):
line 4863:
if (max > 0) length += (max – 1) * (duplength + 3 + 2*LINK_SIZE);
which corresponds to the first part of the code corrected in webkit above.
And line 4874-4877:
length += (min – 1) * duplength;
if (max > min) /* Need this test as max=-1 means no limit */
length += (max – min) * (duplength + 3 + 2*LINK_SIZE)
– (2 + 2*LINK_SIZE);
which corresponds exactly to the second code correction in webkit above.
Hence the issue was present in the original PCRE and made its way through in webkit.
So given this simple demonstration, Miller’s accusation against Apple and his meaningless arguments associated to it makes zero sense. This sounds more to be a sensational speech to attract the bad press.
“He also added that what makes Safari an even more attractive target is the fact that it runs on Mac OS X, which he states lacks several security features that Windows Vista and Windows 7 ”
Yes sure, this one really sounds more than an argument for the marketing at Microsoft (maybe even ordered by Microsoft) than a matter of fact. Windows 7 has already lost anyway,
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
The question is will someone use it during the context? And this is the fundamental issue with this sort of context, it should not be considered as a good indicator of the security of a given platform, they are only showing which platform is targeted first during a security context. Then this will depend on which one will produce the most sensational report in the press…..
“he has an impressive list of exploits he has uncovered, such as the first exploit on the iPhone”
That was also related to webkit, an open source project, what is amazing exactly?
By the way, Miller should also look at this
http://www.usenix.org/events/lisa08/tech/hubbard_talk.pdf
Edited 2009-03-06 09:25 UTC
Errrr, that’s a lovely post and all but the fact is that Safari was the only browser to run scripts that the user downloaded and ran them without any prompting – and it passed right through QA. You do the maths.
That’s what I said eight hours ago 🙂
Also I’d like to clarify: The bit at my end about “Why doesn’t he support the underdog for once” wasn’t trying to discount Safari’s security problems or criticise the security researcher. It was just a slightly humourous way of saying “He’s right” 🙂
Spooky. I’ve just read your post below ;-).
It’s obvious really. Safari is just like Outlook or something else all over again – trying to be helpful by running stuff that you download automatically. Then there’s the whole dashboard thing to have a pop at……… I don’t know why people don’t get that the law of averages is against you there.
Lets face it.
Stick a normal user infront of any piece of software and they’re going to destroy it with their stupidity. Doesn’t matter how secure it is.
As for the tests, last year no one could crack them, it was only after relaxing the rules of what you could actually do were they cracked.
They test all the latest browsers apart from Apples, and they don’t test Opera’s latest either.
Doesn’t exactly seem like a fair test to even begin with, so why even warrant the results.
[…]the fact that it runs on Mac OS X, which he states lacks several security features that Windows Vista and Windows 7 do have, such as address space randomisation
Darwin 9 (Mac OS X 10.5) added address space layout randomization in October 2007.
http://en.wikipedia.org/wiki/Darwin_(operating_system)#Releases
From wikipedia:
“Apple introduced randomization of some library offsets in Mac OS X v10.5, presumably as a stepping stone to fully implementing ASLR at a later date. Their implementation does not provide complete protection against attacks which ASLR is designed to defeat.”
“Apple introduced randomization of some library offsets in Mac OS X v10.5, presumably as a stepping stone to fully implementing ASLR at a later date. Their implementation does not provide complete protection against attacks which ASLR is designed to defeat” from wikipedia
Ah. I guess that’s the kind of thing I would know if I read the articles I link to in my comments.
Thanks, both of you, for pointing it out.
Man, I don’t want to be rude, but I’m no longer able to stand people like you who just google “OS X Address Space Randomization” and spit a link. I’m sure that you don’t even know/understand what Address Space Randomization is.
This kind of comment can possibly wrongly inform readers like me who then assume, based on your comment, that OS X has Address Space Randomization.
Hi Vai777,
I understand your frustration, but I won’t admit to being guilty to all of your charges. When I first read the article I remembered having read some time ago that some version of Darwin introduced address space randomization. I checked Wikipedia’s version history to find when that was and posted the link.
And I wasn’t completely wrong. Here is from Apple about this feature in Mac OS X 10.5 (http://www.apple.com/macosx/features/300.html#security):
One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.
However, the Wikipedia article on ASLR, which is linked from the article I linked to and I should have read, points out that the Leopard implementation is incomplete. This was discovered by a third party; specifically (http://www.matasano.com/log/981/a-roundup-of-leopard-security-featu…):
The dynamic linker library (dyld) is not randomized. From what I can tell, ten different Leopard macs booted at ten different times will have the same offset to dyld.
And, also, while many library offsets are randomized, the heap and stack appear not to be (http://www.matasano.com/log/986/what-weve-since-learned-about-leopa…).
I didn’t think this was so bad at first because Wikipedia indicates that OS X supports the NX bit, but it appears they only do so on the stack and not the heap.
If I remember correctly the flaw they exploited last year was in Flash and was browser and OS independent. I’m not sure why Safari is considered a bigger target this year than other browsers.
because it’s a hacking contest, we people mostly enter for pride and fame ( hacking a considered ‘unbreakable’ (closed)Mac OS X, gets you more karma than breaking an already broken Widows or an open source system ).
*OR*
It desmonstrate a dirty secret that Mac OS X has already been compromised and that user are not/less aware of it because *everybody* knows that there is no virus on macs (if you think you did find one, it might be a “feature”, sorry for this).
Karma has nothing to do with it. The Law of Cause and Effect is once again being misused.
“It desmonstrate a dirty secret that Mac OS X has already been compromised and that user are not/less aware of it because *everybody* knows that there is no virus on macs (if you think you did find one, it might be a “feature”, sorry for this).”
I get sick and tired of seeing people spew out this stuff. I have been using and working on computers for almost 40 years now and I have used OS X for the last 5 years now. I also know a number of other OS X users and most of them do not “know” that there are no virus files for Macs. In fact it has been my experience that a higher percentage of Windows usres “know” they do not need AV and firewall protection. So let’s cut the crap and get down to business.
Safari probably will fall first, but not for the reasons Miller gives. The nature of the contest insures that the most attention will be focused where the glory is. And has been mentioned already there is nlittle glory in hacking an OS that has been hacked so many times that one more instance is not particulary news.
There is no such thing as a 100% secure OS and probably never will be. The real problem is not with Windows, or OS X or Linux or any mainstream OS for that matter. As a technology writer once wrote years back, “I could send out an email with an attachemnt called thisisavirus.exe” and some people would open it.
Real security lies between the brain and the keyboard. Unfortunately most computer users turn the brain off when they sit down in front of their computer.
Saying that Safari is likely to be the first browser to be pwned is the LEAST gutsy statement you could make about computer security.
Safari was the only web browser in existence to automatically run shell scripts that the user downloaded, without prompting. If that “feature” could get through QA without raising eyebrows, who knows what other bad security mistakes are still in the browser?
The same programmers and QA department behind Safari also write an operating system that Safari’s security is going to be tested on. Safari being the first to fall is an easy statement to make because it’s the most likely conclusion.
So, Mr Miller, why don’t you support the underdog for a change?
But. That’s. What. Happened.
IIRC wasn’t Safari cracked because of the Flashplugin? I understand as so far that it is Apple’s responsibility for what they bundle with their operating system but at the same time it is a pretty low blow to blame a plugin, specifically, a third party plugin whom the vendor has no source code access to, for a security hole that appears.
This is the same sort of nonsense I see occur when Microsoft products are apparently ‘cracked’ only to find that it is the result of a shoddy third party application or plugin installed. Unless they have the source code of the application and the ability to fix it up directly themselves (that is, they’re not reliant on third parties) – it is a pretty low blow to blame a vendor due to crappy third party software.
Regarding security; both MacOS X and Windows both offer security features that not only do third parties fail to use by also the operating system vendors too; so security is a two way street – if the operating system provides a raft of features to secure the system and a third party flat out refuses to support them – whose fault is it? the operating system vendor who makes great technology available to secure their system or the third party who refuses to take advantage of it?
You got confused. Vista was cracked with Flash. Mac OS X got cracked without any 3rd party software.
Your point remains valid, though.