Questions for Pwn2Own hacker Charlie Miller

Questions for Pwn2Own hacker Charlie Miller

Summary: VANCOUVER, BC -- At the CanSecWest security conference here, I got a chance to sit down with Charlie Miller, the researcher who broke into a fully patched MacBook machine using a Safari code execution vulnerability.We discuss the state of Web browser security, the vulnerability marketplace and the need for anti-exploit mitigations on modern operating systems.

SHARE:

VANCOUVER, BC -- At the CanSecWest security conference here, I got a chance to sit down with Charlie Miller, the researcher who broke into a fully patched MacBook machine using a Safari code execution vulnerability.

We discuss the state of Web browser security, the vulnerability marketplace and the need for anti-exploit mitigations on modern operating systems.

Ryan Naraine: So, what can you tell us about the vulnerability?

Charlie Miller: Not much. As part of the contest rules, I'm under NDA about the technical details.  I can tell you the computer (MacBook Air) was fully patched.  It was an exploit against Safari 4 and it also works on Safari 3.   I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit.  I came to CanSecWest last year with two bugs but only one exploit.  Last year, you could only win once so I saved the second bug.   Turns out, it was still there this year so I wrote another exploit and used it this year.

Does it work on Safari for Windows?

I don't know.  I didn't look.

Did you consider reporting the vulnerability to Apple?

I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away.  Apple pays people to do the same job so we know there's value to this work. No more free bugs.

What's the ballpark value of that Safari bug?

It was probably more than that $5,000 prize I won.   It's much less than the IE 8 vulnerability (exploited separately by Nils) by about a factor of ten. I could get more than $5,000 for it but I like the idea of coming here and showcasing what I can do and get some headlines for the company I work for (Independent Security Evaluators).

Why Safari?  Why didn't you go after IE or Safari?

It's really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don't do.  Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.

It's more about the operating system than the (target) program.  Firefox on Mac is pretty easy too.  The underlying OS doesn't have anti-exploit stuff built into it.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

With my Safari exploit, I put the code into a process and I know exactly where it's going to be.  There's no randomization. I know when I jump there, the code is there and I can execute it there.  On Windows, the code might show up but I don't know where it is.  Even if I get to the code, it's not executable.  Those are two hurdles that Macs don't have.

It's clear that all three browsers (Safari, IE and Firefox) have bugs.  Code execution holes everywhere.   But that's only half the equation.  The other half is exploiting it.  There's almost no hurdle to jump through on Mac OS X.

What's harder?  Finding the bug or writing the exploit?

It's changing. In the past, it was always hard to find bugs but once you found something, it was easier to write a reliable exploit.  Now the (software companies) have gotten smart and they make it much harder to exploit.  It's hard to find a good bug these days and even harder to exploit and deal with all the mitigations.   That's why Dino (Dai Zovi) and I are a good team.  He specializes in exploits and I can concentrate on finding good bugs.

On a scale of 1-10, how impressive was the Nils' sweep of exploiting all three main browsers?

I was surprised.  For IE 8, I'd give him a 9 out of 10.   For Safari, maybe a 2. It's just too easy to pop Safari.   For Firefox on Windows, I give him a 10.  That was the most impressive of the three.  It's really hard to exploit Firefox on Windows.

Really?  What's the difference between what you can do on IE but can't do on Firefox?

The technique he used works against IE but not Firefox.  It allows you to place code in a specific spot in memory.  Mark Dowd and Alex Sotirov talked about this at last year's Black Hat.  You can use a technique to make .net not opt into the mitigations and jump over hurdled easily.  With Firefox, you can't do that.

For all the browsers on operating systems, the hardest target is Firefox on Windows.  With Firefox on Mac OS X, you can do whatever you want.  There's nothing in the Mac operating system that will stop you.

You talked earlier about the value of vulnerabilities.  Was it a surprise that he (Nils) basically gave up three "high-value" bugs for $5,000 each?

It's clear he's incredibly talented.  I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs.  I've talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability.  I'd say $50,000 is a low-end price point.

For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs.  With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.

Google Chrome was the one target left standing. Surprised?

There are bugs in Chrome but they're very hard to exploit.  I have a Chrome vulnerability right now but I don't know how to exploit it.  It's really hard.  The've got that sandbox model that's hard to get out of.  With Chrome, it's a combination of things -- you can't execute on the heap, the OS protections in Windows and the Sandbox.

[ SEE: Pwn2Own hacker: Apple Safari is 'easy pickings' ]

I might have this bug and I might be able to get code execution.  But now you'r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits.  That raises the bar.

Coming in, when I posted my predictions, I didn't think anyone would get go after Chrome, IE or Firefox.  It's all economics. It's only hard or easy compared to what someone would pay.  If Pwn2Own offered $1 million per bug for Chrome, there would be a line of people here looking to bankrupt them.

Are browsers generally getting better at securing Web surfers?

Browsers are so complex, it's almost impossible to get everything right. With all that code and dependencies, it's hard to be perfect. People said five years ago that buffer overflows would be solved by now.  Well, they're not.  Bugs will always be there so it's a smart move to work on mitigations and (anti-exploit) roadblocks.

Browsers do a better job of providing visual warnings of phishing and malware sites or poor SSL.  It's not enough but it's better than nothing.   I think what you see with Chrome and sandboxing, that's where everyone needs to go.  It'll take a few years but that will have to be the standard.

* Image credit: TippingPoint Zero Day Initiative.

Topics: Operating Systems, Apple, Browser, Google, Hardware, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

191 comments
Log in or register to join the discussion
  • Windows makes it harder to exploit holes THAT'S DAMN TRUE

    "It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigation you?d find in Windows."

    LOL @The self-proclaimed--world's most advanced OS...
    shellcodes_coder
    • Well,

      It would seem that [b]everything[/b] is easier on a mac after all - right down to the exploits.

      eMJayy
      • No wonder the logo has a bite in it, it's infected with worms!

        Not only is the internet twice as fast, so is the pwnage.
        T1Oracle
        • The bite represents

          the portion of OSX that a hacker owns...
          GuidingLight
          • ROTFLMAO!

            In that case, i think the bite on the logo needs to substantially bigger!

            Maybe it's time for Apple to switch to using an Apple core for its logo.
            eMJayy
          • or...

            Apple's marketshare...
            wcb42ad
    • Looking at real consequences...

      reveals the truth: It's just Windows which gets hacked repeatedly in the
      real world, it's just Windows which provides annoying, bandwidth-
      stealing botnets, it's only Windows which costs many billions of hard
      earned dollars to clean up from virus-infestations worldwide each year.

      I know what ZDNet is and who it serves, so I'm not surprised that articles
      like this one appear now and then.

      Who's interested in the truth when there's lots of money to make. Too
      bad..... :-(
      Mikael_z
      • Oh I get it! No market share, no security?

        This is the best Apple apology yet, since they aren't in a position to "costs many billions of hard earned dollars to clean up from virus-infestations worldwide each year." it's ok for them to leave gaping security holes in OSX. Wonderful, with that attitude they will never be in a position to "costs many billions of hard earned dollars to clean up from virus-infestations worldwide each year" because they never sell enough copies.

        Hey, switch to Apple it's easy to pwn but still secure since it's not an economically viable target for hackers yet, well... until you buy it that is...
        T1Oracle
        • Stupid people make Microsoft rich

          Just Windows has problems with malware which means that no other
          computer platform has these problems, which in turn means a close to
          $0 cost for Linux, Mac OS X, Solaris, etc.

          Windows has an abysmal security record, but that's easy to ignore right?
          Especially if you earn your living on support for that second rate
          platform...
          Mikael_z
          • Actually, they only have an abysmal security record

            Because they are the most attacked operating system out there. Once OSX and Linux get above 10% marketshare (NEVER GOING TO HAPPEN!), we will seen THEM being attacked as much or even more than Windows OS's.
            Lerianis
          • Actually

            You're wrong there, OSX won't just get attacked it'll be pwned from day one. Linux on the other hand was designed with security first and is already a major target for hackers and continues to survive without issue. Linux has a substantial portion of the server market share, and servers are much more valuable targets than desktops.

            Windows sucks and OSX sucks more, both of them make the same mistake of putting pretty features ahead of robust security. Linux did not start with any focus on being pretty, that is only a recent development.
            T1Oracle
          • Can you elaborate on how Linux's security is better than Window's security?

            [i]You're wrong there, OSX won't just get attacked it'll be pwned from day one. Linux on the other hand was designed with security first and is already a major target for hackers and continues to survive without issue.[/i]

            Thanks.
            ye
          • Or better yet, why Linux would have better security than Mac OS X

            All statistics I've seen suggests that all Unix and Unix-like systems have
            very good security, especially compared to the redmondian swiss cheese,
            but that OS X would have an edge here.
            Mikael_z
          • Servers aren't the most valuable platforms to own - desktops are

            If you compromize a front-end web server, chances of making it any further into the network (and therefore into any of the database/storage servers) are VERY VERY slim.

            It's FAR more profitable to hack desktops because: a) There are many more of them, and b) they contain a great deal of highly valuable information.
            de-void-21165590650301806002836337787023
          • Nonsense - servers ARE valuable targets

            A compromised server can serve up malware to unsuspecting users. Precisely [b]none[/b] of the phishing email I have received has tried to redirect me to someone's desktop machine...
            Zogg
          • @Zogg: That's not what I said.

            I didn't say servers were worthless hacking targets. I said that they're not the most valuable targets.

            Sure, you may find it useful to hack a server in order to provide you with a distribution mechanism, but most front-end servers do NOT contain much valuable data. Further, once you're on to a server, you've still got a mountain of security measures to overcome as most server environments employ a number of safeguards to prevent malicious 3rd parties from talking to database and fileshares inside the server network.

            It is FAR more profitable to steal users' data and re-sell that data elsewhere. Why do you think phishing has become so popular? If a phisher can convince you that they're eBay and you login - usually several times, trying and re-trying all your passwords, giving the phisher all your keys, they can then trawl the web, trying to login and be you. Where they get in, they steal data and services, masquerading as you.

            THAT is a *FAR* more dangerous exploit than any malware that just shuts down your machine or redirects your browser's homepage to some bragging page.
            de-void-21165590650301806002836337787023
          • @ Zogg: Are you absoloutely 100% sure?

            [b]A compromised server can serve up malware to unsuspecting users. Precisely none of the phishing email I have received has tried to redirect me to someone's desktop machine... [/b]

            Exactly how hard is it to do any of the following:

            Setup your own web server?
            Setup a cheap domain?

            In both cases - the answer is NOT VERY. Linux, last I checked, comes with Apache. Most flavors of Windows comes with IIS and you can even download Apache for Windows.

            In either case, why go thorough the hassle of compromising some server when for a pittance (compared to the potential reward), you can either set your own server up OR you can host it on a less than reputable hosting company?

            The point is - you don't necessarily KNOW 100% for sure where those phishers are hosting their files. They could be pretty much anywhere in the world.

            And furthermore... What IS the point of a phishing expedition in the first place? It's to gain user IDs and passwords so the perpetrators can get access to your bank accounts. That, in and of itself, is a means to "hack" a server. Why attack a server when there are MUCH easier means to get access and steal money?

            Wolfie2K3
          • @Ye

            No, won't elaborate on why Linux is much more secure than Windows. It's up to you to get out there and learn something, rather than just regurgitate MS piffle.
            Amelioration
          • Mac OS X on is not Mac OSX Server

            Do not compare Safari on a Mac OS X desktop to Linux servers.
            Try comparing Mac OS X servers. to Linux servers.
            British cyber security firm mi2g. (http://mi2g.com/) did a just such a
            study.

            The study conducted by mi2g's Intelligence Unit looked at the total
            number of attacks against government and private sector online
            servers, as well as the number of successful attacks, for the month of
            January. The most attacked OS for online servers was Linux at 80
            percent, followed by Windows at 12 percent and then BSD and Mac OS
            X at three percent. Within the government environment, the most
            successfully attacked Operating System was also Linux at 57 percent,
            followed by Windows at 35 percent and BSD and Mac OS X at 0
            percent, which the company notes is a first for that category.

            The rest of the article here:
            http://www.macobserver.com/article/2004/02/26.2.shtml

            Now what were you saying about Linux?

            Please any system can be hacked and Apple needs to address these
            bugs. But in fact the greater issue is should browsers have access to
            anything outside the sandbox of the browser ever? the answer as far
            as I am concerned is no Problem is web developers and those pushing
            for cloud computing say yes.

            They feel the browser and the web should be the OS and if they can
            not get access to the local data it severely limits the usefulness of
            their apps. I have doubts no matter what security they use they will
            ever get it perfectly secure since bugs happen. I feel even as browsers
            get more security features the greater use of web applications will still
            open up users to a larger number of threats. Already the access to the
            system from within the browser is way beyond what the original
            creators of the web intended.

            Originally security was a concern and that is why under strict HTML
            standards no user or system level access was allowed from code
            within a web browser.
            But most OS security is still based on that original model.
            Michael Fournier
          • Since everyone else was replying to this message...

            Ok. 1st - Server VS Desktop.

            Desktop: On at 8:00, off at 5:00. You have 9 hours to take control of this system if they have the VERY BASIC in security. (At the end of the day, turn it off)
            Server: Usually on a 1 month IPL unless there are emergency patches that require a 20 minute shutdown and restart. This means you can have your exploit running 24/7 until it is found.

            The above is mostly for BOT activity values.

            2nd - OS choices

            The easier the better I say. Linux servers with all the names and SSNs or are the most valuable, but not the easiest. The HR director may have a MAC Lifebook or a Lenova T71 that would be alot easier to get into. Install a keystroke logger and the rest is just knowing your way around the system. You still have to figure that some sort of security is going to try and stop you, but it will still be easier than trying to go staight at the server. (bad example would be the stolen V.A. administrator laptop that had 24 million veterans with SSNs) Who needs hacking knowledge when you only need a crowbar and a week to wait for CNN to tell you the pawn ticket you threw away is now worth 1 million dollars if you know how to contact any criminal hackers.
            dbisse@...