March 21st, 2009, 03:58 AM
Why Didn't You Exploit IE?
At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?
"It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have."
This is a commentary on Windows more than Internet Explorer. As Miller pointed out, "it's more about the operating system than the program". This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.
Miller even goes on to suggest that Firefox, and particularly Google's Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft's efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.
Last edited by tonybradley; March 21st, 2009 at 04:00 AM.
March 21st, 2009, 04:48 PM
I remember Apple users bragged for years about their secure platform. What happened? Was Apple's downfall caused by the switch to the Intel based chips? What about 3rd-party apps incorporated into the operating system? Is this happening at the kernel or application level? Another hero becomes the villain scenario?
Originally Posted by tonybradley
March 21st, 2009, 10:54 PM
Im not even sure if Motorola has ever supported anything like NX such as these other processors. Based on what this article says, apparently not... and they aren't making software that would take advantage of it either way.
I remember Apple users bragged for years about their secure platform. What happened? Was Apple's downfall caused by the switch to the Intel based chips?
Last edited by The-Spec; March 21st, 2009 at 10:59 PM.
March 21st, 2009, 11:11 PM
The biggest reason for Apple's relative security is that it didn't have a similarly sized think tank trying to crack it.
By dalek in forum Microsoft Security Discussions
Last Post: September 23rd, 2006, 04:46 AM
By Black Cluster in forum Microsoft Security Discussions
Last Post: October 14th, 2005, 09:44 AM
By Tiger Shark in forum Microsoft Security Discussions
Last Post: January 14th, 2005, 08:47 PM
By ntsa in forum The Security Tutorials Forum
Last Post: July 21st, 2002, 05:00 PM
By zigar in forum Microsoft Security Discussions
Last Post: April 4th, 2002, 08:50 PM
Tags for this Thread