Apple's browser likely to be compromised multiple times at this year's hacking contest, Charlie Miller predicts

Mar 4, 2009 11:53 GMT  ·  By
Charlie in the foreground exploiting the MacBook Air at last year's PWN to OWN hack contest
   Charlie in the foreground exploiting the MacBook Air at last year's PWN to OWN hack contest

Charlie Miller, the security researcher who won last year’s Pwn2Own hacker contest, expects this year's showdown to be even worse for Apple's web browsing application. According to his predictions, as many as four different individuals may be able to hack Safari this time around. Last year, Miller exploited a Safari flaw to compromise a fully patched MacBook Air.

As ZD Net's Zero Day indicates, Miller posted a note on the Daily Dave mailing list, describing Safari as “easy pickins.” Furthermore, he forecasts that at least four zero-day Safari flaws will be used during the upcoming contest to hack the browser. Miller’s full predictions are offered as such: Safari: hacked by 4 different people.  Easy pickin’s as usual.

Android: hacked by 1 person.  Not too tough but no one owns one.

IE8, Firefox: Survive unscathed.  The bugs to exploit equation is [sic] too hard for $5k.

iPhone, Symbian: Survive due to non-executable heap.

Blackberry, Windows Mobile, Chrome: I don’t know enough to say anything intelligent.  That said, they’re probably hard/obscure and so survive.

The Register explains that Millers’ predictions may indeed be accurate, as “the ASLR, or address space layout randomization, protection in Apple's OS X is easily defeated, allowing hackers to overcome a barrier that prevents similar exploits from working on the most recent versions of Windows. What's more, the it-just-works Mac credo increases the number of potential soft spots hackers can target,” reads the piece. Miller himself stated that "Every feature an application has is another spot a vulnerability may lay. These features are why I like Safari, but, the drawback is [that] it has a large attack surface," he allegedly told the site.

This year's hacking contest will take place March 18-20 at the CanSecWest security conference in Vancouver. There will be two sessions / tracks during which hackers will go head to head with the major browsers, including Safari, Internet Explorer, and Firefox, but also try and compromise major smartphones, including the iPhone, Blackberry, and devices running the Android, Symbian, and Windows Mobile operating systems.