Apple’s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year’s winner predicted Tuesday.
“It’s an easy target,” said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop within minutes of the contest. PWN2OWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia.
“It might be because I’m biased about the things I’m good at, but it’s the easiest browser [to hack],” Miller said.
PWN2OWN’s sponsor, 3Com’s TippingPoint, will pay $5,000 for each new bug successfully exploited in Safari, Microsoft’s Internet Explorer 8 (IE8), Mozilla’s Firefox or Google’s Chrome. IE8, Firefox, and Chrome will be running on a Sony notebook powered by Windows 7, Microsoft’s still-under-construction operating system, while Safari and Firefox will be available on a MacBook.
“Apple’s products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats,” said Miller. “With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is.”
Another factor contributing to Safari’s easy pickings, said Miller, is Apple’s Mac OS X, which lacks workable defenses found in Windows Vista and Windows 7, including address space randomization. Microsoft calls it “address space layout randomization,” or ASLR.
Put Safari atop Mac OS X, and the target’s too good to pass up, said Miller.
IE8 and Firefox will escape unscathed, Miller predicted, adding that a quick cost-benefit analysis tells him they’ll be safe. “They make it so hard that, for me, $5,000 isn’t motivation enough to try to break one of those guys,” he said. As for Chrome, he pleaded ignorance, saying that he didn’t know enough about the browser to even provide a prediction. His gut instinct, however, is that Google’s browser will also survive.
Miller has also been sharpening his mobile device vulnerability and exploit skills—he was the first researcher to uncover a security bug in Google’s Android operating system—and so will take a stab at the second PWN2OWN contest. That separate challenge will pit researchers against five smartphone operating systems, including Windows Mobile, Android, Symbian, and the operating systems used by the iPhone and BlackBerry. TippingPoint will pay double, or $10,000, for each bug exploited at the contest.
“I’ll be trying to break Safari,” said Miller. “If I say it’s easy, I have to try, right? But I also want to show my stuff on mobile.”
He declined to say which smartphone he will target. It’s likely, however, that he’ll be looking at the iPhone; Miller was one of three researchers who found the first iPhone vulnerability just weeks after the device’s mid-2007 debut.
Nor would Miller get specific about the vulnerabilities he has in mind or is investigating. “You pretty much have to show up [with a vulnerability and exploit] and be ready to go,” said Miller. “The great thing about PWN2OWN is that it’s not just about finding bugs, but about finding bugs that can be exploited, and then coming up with an exploit.”
Miller works as a principal analyst at Independent Security Evaluators, a security consulting firm, and said he is looking forward to the contest, which kicks off March 18. “I have to defend my championship, don’t I?”