Nils2Own: 'I want to see security flaws fixed'

Nils2Own: 'I want to see security flaws fixed'

Summary: VANCOUVER, BC -- Charlie Miller may have dominated the headlines but the undisputed champion of this year's CanSecWest Pwn2Own contest was a hitherto unknown hacker who asked to be identified simply as "Nils.

SHARE:

VANCOUVER, BC -- Charlie Miller may have dominated the headlines but the undisputed champion of this year's CanSecWest Pwn2Own contest was a hitherto unknown hacker who asked to be identified simply as "Nils."

A day after his perfect sweep of the breaking into fully patched default configurations of all three main Web browsers -- Microsoft Internet Explorer, Mozilla Firefox and Safari for Mac OS X -- the researcher sat down with me to explain his motivations, the reasons he opted not to sell the vulnerabilities for big money and to spread the word that he's looking for a job after completing his studies.

Ryan Naraine: So, who are you? Nils:  My name is Nils.  I'm 25-years-old and I'm a student at the University of Oldenburg in Germany.  I'm currently writing my Masters thesis in computer science.

Why the reluctance to share your last name? No interest in the publicity that comes with this? Actually, I am in it for the headlines.  I'm finishing school in September and I'll be looking for a job. I came here to network and [use Pwn2Own] to show what I can do.  The people who are likely to hire me will be here.

The problem with the full name is having all kinds of people try to contact me to talk about buying vulnerabilities. I'm not interested in selling that information to strange people.  I understand bugs have value and I've sold bugs before but only to TippingPoint ZDI because I want the bugs to be reported to the vendor and I want to see them fixed.

There are people saying you  basically gave away "high value" bugs that could have been sold for big money... Vulnerabilities are only valued highly by companies or organizations who aren't interested in getting them fixed.  I don't want to participate in that.  I like to see my bugs gets fixed.  During the two days [at CanSecWest], I was able to sit with vendors like Microsoft and Mozilla to work on getting these things fixed.

[ Charlie Miller: "No more free bugs" ]

I'm not interested in selling bugs to strange organizations. Those are the people paying high prices but they're also not interested in getting them fixed.

Do you specialize in browser vulnerabilities? I'd say I specialize in client-side bugs. I've reported a lot of client-side bugs [through ZDI], in PDF Readers and in Java.  But I like to look at problems in browsers.  The majority of my reported bugs are in browsers, whether it's IE or Firefox or Safari.

Let's go through your accomplishment here. On a scale of 1-10, how do you rate the difficulty of exploting these bugs.  Start with Safari on Mac OS X... For that bug, I'd rate it a 5.  Not because Safari on Mac is a harder target but because of the kind of vulnerability.  I can't say much about it (because of an NDA signed with conference sponsors) but it was harder to find that bug on the Mac.  Writing the exploit for Mac was the easy part. Dino [Dai Zovi] had a great quote during his talk [.pdf]: "Exploit writing on the Mac is fun.  Exploit writing on Windows Vista is hard work."  I totally agree with that.

Mac OS X Leopard did not implement randomization properly so it's very easy to get your exploit to work.  I'm looking forward to seeing what they [Apple] do with Snow Leopard. How about the Firefox on Windows exploit?

Let me correct something.  It was a Firefox on Mac OS X vulnerability and exploit.  The bug does affect Windows but, honestly, it's way harder to get the code to run reliably on Windows.  That's the reason I did my Firefox attack on the Mac.  I'm not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).  On the Mac, I could trigger it and exploit it easily.

For that reason, I'd rate it a 3 in terms of difficulty.  The vulnerability was nice.  You get get a lot of control over what you can do and just execute your code.  Just place the code in memory. You can spray it and it'll be in a predictable area.  On Mac OS X, there's no ASLR or DEP, so you can just [snaps finger], execute it and it will work.

IE 8 on Windows 7?

I came here with that vulnerability.  It's another nice bug but it was really, really difficult to write the exploit because of those ASLR and DEP.  I had to use some techniques around those mitigations and make a lot of preparation to make it a reliable exploit.  It was very, very hard.

Did you use the Dowd/Sotirov techniques from Black Hat last year?

I really appreciated their work [smiles].

Does it affect earlier versions of IE? I don't know. I wasn't able to trigger it in IE 7.  With every new browser version, vendors introduce new features and technologies and make changes to existing technologies. Obviously, with new code comes new risks.

I spoke to Microsoft afterwards.  They got a copy of the exploit from my laptop after the contest and they seem really, really eager to get the details quickly and start working on a fix.

[Note: Microsoft has since reproduced and validated the vulnerability and has kick-started its security response process ] Did you come here with a plan to hit all three major browsers? Yes.  I had the IE 8 and Safari things ready.  They were tested ahead of time.  I didn't have the Firefox bug completed. I arrived on Sunday and worked through Tuesday to get that exploit ready.

My plan was to hit all the big browser engines. Browsers are insecure and that's my area of interest.  Ideally, I want to find a job that allows me to work on client-side weaknesses, either on Windows of Mac OS X.

Last word? It's best if end users know that they can be exploited on any browser and on any operating system.  In general, exploitation on Windows got harder but it's not impossible.  All the browser engines are getting better at security. It's much harder to find a vulnerability these days but there are all kinds of other problems with add-ons and third-party dependencies.

People need to know that bad things can happen while you surf the Internet, regardless of what you use.  Software vendors should also concentrate on making it harder to exploit flaws.  Bugs are always going to be there but they have to work on making it tougher for attackers.

* Nils2Own headline credit goes to Ivan Krstic.  Photo used with permission from Garrett Gee at InfoSec Events.

Topics: Browser, Apple, Hardware, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

86 comments
Log in or register to join the discussion
  • So it was Firefox on OSX

    because Firefox on <i>Windows</i> was too hard
    because of the <i>Windows</i> vulnerability
    mitigation techniques.

    Now run out and get a Mac.

    Please, can we now finally lay the "Mac is more
    secure" myth to rest?

    On a serious note, the most pressing question
    still is: Was IE8 sandbox breached? I'm disappointed this wasn't asked.
    honeymonster
    • Doubtful.

      [i]Please, can we now finally lay the "Mac is more secure" myth to rest?[/i]
      ye
    • no, we can't.

      no, we can't.
      cause these kind of higly specific highly knowlegadble bugs are only part, and a very small one, of the security risks outhere.
      most (if not all) are virus, trojans and a malware assortment. and on all those, specially on the virus parts, no *NIX system has issues.
      so, that's the safety you should worry about.
      do you have to worry about that on your system? then , you're not secure (as one can possible be).. *Nix systems are.
      lordjeremias
      • Small one, big one....

        It was still cracked. Even easier than Windows. Deal with it.

        You're not allowed to whine "This one's not really that big of a deal", then point out the same kinds of intrusions into Windows systems as proof that MS products have lackluster security.
        rshores
      • FAIL

        Attackers are highly knowledgable and these
        kinds of bugs are <i>precisely</i> the kind of
        bugs they use to exploit you in drive-by
        attacks.

        <b>For 3 consecutive years</b> this competition
        has demonstrated what happens when you even out
        incentives: Mac OSX and Safari are a hopelessly
        buggy, exploitable and unmitigated pieces of
        low quality software. And worse, the cult
        leader has mislead its members into believing that their OS is impenetrable.

        And it turns out the opposite is true:

        Apple OSX is <b>the</b> os with the <b>most</b>
        vulnerabilities. 3 times more than those of
        Vista!

        Apple OSX is <b>the</b> os with the <b>fewest</b> and most <b>poorly
        implemented</b> mitigations and with the <b>worst</b> protection in-depth.

        Apple OSX bug-fixing times are <b>worsening</b>
        while practically the rest of the industry -
        including Microsoft - are <b>improving</b>.

        The ONLY thing OSX have had going for it is the
        fact that it had too small a market share to
        provide incentive for the bad guys to go after
        it. But that is changing now.

        Apple OSX is the new swiss cheese operating
        system. Apple OSX users are the new low hanging
        fruits. Thanks to Apple they are all as
        gullible as you.

        honeymonster
        • Bravo, great post. (nt)

          .
          NonZealot
        • @honeymonster

          "For 3 consecutive years this competition
          has demonstrated what happens when you even out
          incentives: Mac OSX and Safari are a hopelessly
          buggy, exploitable and unmitigated pieces of
          low quality software. And worse, the cult
          leader has mislead its members into believing that their OS is impenetrable."

          Funny, the same thing was being said about Windows. Microsoft was known for it's lackluster security and response to it. Windows should be a lot harder to crack after 14+ years of being the most hacked OS in history. It only took 14 years.

          "Apple OSX is the new swiss cheese operating system. Apple OSX users are the new low hanging fruits. Thanks to Apple they are all as gullible as you."

          So that means the old swiss cheese OS was Windows, right?
          If OS X is the low hanging fruit, where are all the exploits? And do better than 2 or 3. If you remember, if you have been using computers more than a few years, you would know that Windows NT/2000 was touted as the most secure OS available and lead a lot of gulible Windows users into a false sense of security. Turns out that was a load of crap too.
          Axsimulate
          • Doesn't matter what was. All that matters is what is.

            [i]Funny, the same thing was being said about Windows. Microsoft was known for it's lackluster security and response to it. Windows should be a lot harder to crack after 14+ years of being the most hacked OS in history. It only took 14 years.[/i]

            The insistence on arguing no longer relevant points is puzzling.
            ye
          • @ye

            Sure it is, it's pointing out his hypocrisy. Microsoft and Windows was/is just as guilty.

            So what you are saying is that it is OK to kick around Apple when Microsoft has done the same thing? Place and time are irrelevant.
            Microsoft has had 14+ years to harden the NT line of Windows. That is nearly twice the amount of time OS X has been available. When the NT line Windows was the same age OS X is now, it was setting historic levels of security breaches, viruses, trojans, worms, etc.

            I would expect nothing more from you ye, it's called hypocrisy, google it, you may learn something. Then maybe not.
            Axsimulate
          • I suggest you take your own advice. It seems you're unfamiliar with...

            [i]I would expect nothing more from you ye, it's called hypocrisy, google it, you may learn something. Then maybe not.[/i]

            ...the word. To my knowledge few Windows advocates were going around pretending their choice of OS had some inherent security strength over the competition. The same cannot be said of advocates (or Apple itself) for OS X.
            Therefore no hypocrisy to be found.
            ye
          • @ye

            "...the word. To my knowledge few Windows advocates were going around pretending their choice of OS had some inherent security strength over the competition."

            Your joking, right?
            Axsimulate
          • @Ax: you'RE joking?

            OS X is constantly sold by Apple apologists as the answer to all our Windows security problems. Considering that professional hackers have publicly stated that OS X is the [b]easiest[/b] OS to hack, you'd better hope that the Apple apologists fail in their attempts to get everyone to switch over to OS X. Lack of marketshare is the only thing that is currently souring the "low hanging fruit" that is OS X. :)

            In the end, it makes no sense for me to switch from Windows and Linux, OSs that have never given me a single security problem, to OS X, an OS that professional hackers are saying is [b]much[/b] less secure than Windows and Linux.
            NonZealot
          • @Axsimulate: No, I'm not.

            [i]Your joking, right?[/i]
            ye
          • @ye

            Funny, the view is much different on this side of the fence.
            Axsimulate
          • @Axsimulate: I'm not surprised you see it differently.

            Disillusioned people always see things different from reality.
            ye
          • @ye

            "Disillusioned people always see things different from reality."

            Yep, your right, and there are a lot of people on zdnet that will agree you
            are the disillusioned one.
            Axsimulate
          • @Axsimulate: I'm sure I could find people who think the world is flat.

            [i]Yep, your right, and there are a lot of people on zdnet that will agree you are the disillusioned one.[/i]

            Doesn't make it so.
            ye
          • @ye

            Oh and using your own words "Doesn't matter what was. All that matters is what is."

            Apple claimed that 114,000 Viruses not a Mac was 3 years ago, not today.

            Here is what they claim today

            Are Mac computers secure?

            Yes. While no computer connected to the Internet is 100 percent immune to viruses and spyware, the Mac is built on a solid UNIX foundation and designed with security in mind. The Mac web browser, Safari, alerts you whenever you're downloading an application - even if it's disguised as a picture or movie file. And Apple continually makes free security updates available for Mac owners. You can even have them download automatically.
            Axsimulate
          • Irrelevant.

            [i]Yes. While no computer connected to the Internet is 100 percent immune to viruses and spyware, the Mac is built on a solid UNIX foundation and designed with security in mind.[/i]

            People keep preaching this as if it means something. Yet here we have experts saying it is easier to exploit than a non-UNIX based OS.
            ye
          • According to PROFESSIONALS, Apple screwed up the UNIX foundation

            Even if we take as given that UNIX foundation is better than the Windows foundation, the obvious reply is: so? You could build the most secure vault in the world but if you leave the combination on a post-it right next to the door, it won't keep people out. Apple may have started with a solid foundation but they've added a lot to it, modified a lot of it, and haven't necessarily implemented many (any?) of the features that help keep an OS safe in 2009. Remember that Apple stole BSD back in 2000. Times have changed. Apple obviously hasn't updated their strong UNIX foundation to keep up with the times. If you say otherwise, you'll have to tell us why we should believe you over 2 professional hackers and 2 years where OS X fell before any other OS.
            NonZealot