Feeds

Hack-off contestant dubs Apple Safari 'easy pickins'

Pwn2Own's low-hanging fruit

Reducing security risks from open source software

Apple's Safari browser is likely to be compromised multiple times at an annual hacking contest being held later this month because it's "easy pickins as usual," a researcher specializing in Apple security says.

Charlie Miller, the white-hat hacker who successfully felled a MacBook Air at last year's Pwn2Own competition, predicts the Apple browser will be hacked by at least four contestants this time around. That makes it the most vulnerable piece of software at this year's event, according to Miller, who was also among the first to disclose critical iPhone vulnerabilities a few weeks after its release.

Within hours of debut of Safari for Windows in June of 2007, security researchers discovered multiple vulnerabilities that could allow attackers to remotely install malware on the machines of people who used the beta. A co-author of the recently published The Mac Hacker's Handbook, Miller says Safari hasn't made enough progress since then and he cites several reasons why.

For one, the ASLR, or address space layout randomization, protection in Apple's OS X is easily defeated, allowing hackers to overcome a barrier that prevents similar exploits from working on the most recent versions of Windows. What's more, the it-just-works Mac credo increases the number of potential soft spots hackers can target.

"Every feature an application has is another spot a vulnerability may lay," he writes in an email to The Register. "These features are why I like Safari, but, the drawback is it has a large attack surface."

Miller goes on to predict that Google's Android will be successfully pwned by one participant, explaining "Not too tough but no one owns one." Translation: Android's susceptibility to breaches will be slightly offset by its lukewarm reception in the market.

Meanwhile, the iPhone and Symbian devices will survive unscathed thanks to their non-executable heap. Such countermeasures prevent code loaded into a program's heap from executing, making it hard for hackers to exploit the devices maliciously even when software bugs are discovered. Miller also predicts that IE8 and Firefox will also emerge undefeated.

Miller makes no predictions about Google's Chrome, which has also been shown to be susceptible to attack.

This year's event will take place March 18-20 at the CanSecWest security conference in Vancouver. One track will pit hackers against the major browsers, including Safari, Internet Explorer, and Firefox. A second track will test the mettle of major smart phones, including the iPhone, Blackberry, and devices running the Android, Symbian, and Windows Mobile OSes. El Reg will once again provide start-to-finish coverage of the hacking games in all their glory. ®

This article was updated to note that the 2007 debut was for Safari for Windows.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.