Feeds

Hack-off contestant dubs Apple Safari 'easy pickins'

Pwn2Own's low-hanging fruit

Internet Security Threat Report 2014

Apple's Safari browser is likely to be compromised multiple times at an annual hacking contest being held later this month because it's "easy pickins as usual," a researcher specializing in Apple security says.

Charlie Miller, the white-hat hacker who successfully felled a MacBook Air at last year's Pwn2Own competition, predicts the Apple browser will be hacked by at least four contestants this time around. That makes it the most vulnerable piece of software at this year's event, according to Miller, who was also among the first to disclose critical iPhone vulnerabilities a few weeks after its release.

Within hours of debut of Safari for Windows in June of 2007, security researchers discovered multiple vulnerabilities that could allow attackers to remotely install malware on the machines of people who used the beta. A co-author of the recently published The Mac Hacker's Handbook, Miller says Safari hasn't made enough progress since then and he cites several reasons why.

For one, the ASLR, or address space layout randomization, protection in Apple's OS X is easily defeated, allowing hackers to overcome a barrier that prevents similar exploits from working on the most recent versions of Windows. What's more, the it-just-works Mac credo increases the number of potential soft spots hackers can target.

"Every feature an application has is another spot a vulnerability may lay," he writes in an email to The Register. "These features are why I like Safari, but, the drawback is it has a large attack surface."

Miller goes on to predict that Google's Android will be successfully pwned by one participant, explaining "Not too tough but no one owns one." Translation: Android's susceptibility to breaches will be slightly offset by its lukewarm reception in the market.

Meanwhile, the iPhone and Symbian devices will survive unscathed thanks to their non-executable heap. Such countermeasures prevent code loaded into a program's heap from executing, making it hard for hackers to exploit the devices maliciously even when software bugs are discovered. Miller also predicts that IE8 and Firefox will also emerge undefeated.

Miller makes no predictions about Google's Chrome, which has also been shown to be susceptible to attack.

This year's event will take place March 18-20 at the CanSecWest security conference in Vancouver. One track will pit hackers against the major browsers, including Safari, Internet Explorer, and Firefox. A second track will test the mettle of major smart phones, including the iPhone, Blackberry, and devices running the Android, Symbian, and Windows Mobile OSes. El Reg will once again provide start-to-finish coverage of the hacking games in all their glory. ®

This article was updated to note that the 2007 debut was for Safari for Windows.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.