• Pwn2Own 2010: interview with Charlie Miller

    Pwn2Own is a famous contest held in CansecWest Conference. Every year there is a big reward for researchers who finds exploitable bugs in popular browser and OS and also in mobile devices like iPhone. For the past two years the Pwn2Own contest champion was Charlie Miller (0xcharlie on Twitter), one of the most famous bug hunter and security expert in the world.

    Pwn2Own 2010 will will be held over the course of three days starting on March 24th, so, we decided to interview Charlie Miller (italian version here) and here are his anwers:

    You won, for two years, Pwn2Own contest hacking Safari on Mac OS X. Will Safari and Mac be your targets for the Pwn2Own 2010 contest as well?

    Everything is my target at this point. I’d love to hack one of the mobile devices, but will probably end up on Safari again. I was the first to hack the iPhone and an Android device in the past, so I am comfortable with those two platforms, but its harder to exploit them. This year only one person can win per target, so my biggest obstacle will be making sure nobody beats me to the punch.

    Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?

    Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

    In Pwn2Own 2010 there is still no trace of Linux as possible target. Is it too harder to find exploits for Linux or a non commercial operating system has no interest for exploit hunters?

    No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. The organizers don’t choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.

    What is your opinion about Chrome OS? Is it a really secure OS or it could be an easy target in the near future?

    I don’t know enough about it to comment.

    In your opinion, which is the safer combination OS+browser to use?

    That’s a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!

    On the mobile side of Pwn2Own 2010, the big targets will be iPhone 3GS/iPhone OS and Android/Motorola Droid. Which one will be more easily exploitable?

    They’re both pretty secure. I’d guess the iPhone because its been around a little longer and there has been more research done on it. So, its not that its necessarily less secure, its just researchers understand how it works better.

    Next year, one possibile target could be Windows Phone 7, what do you think about this prediction?

    I hope so. I really like the pwn2own contest and I think its great how it rewards researchers and gets vulnerabilities in products fixed that otherwise would put users at risk.

    The game console world is big business, game consoles are in our living room but there are still few exploits and vulnerabilities discovered. Why only few known security researchers (for example George Hotz) work on exploiting console?

    Even though there are lots of game consoles, there are way more computers, for example. Also, game consoles don’t HAVE to connect to the Internet. I’ve had Wii for a year or so and its never been on the Internet. Its hard to remotely attack the box when you can’t get packets to it :) Also, computers, and phones to a lesser extent, are designed to be customized, to download and use/render content from the Internet. This is where vulnerabilities exist and exploits are created. Game consoles don’t do this as much so the attack surface is much smaller. The final reason, is it is hard to do research on them. Its not easy to get a debugger running on an xbox, for example.

    Last but not least, can you say something about your work toolbox? Which are the software you use for discovering vulnerabilities?

    Check out the Mac hacker’s handbook, most of my secrets are in there. But basically, I use a combination of static and dynamic techniques. I use IDA Pro for reverse engineering and a custom private fuzzing framework I’ve written called Tiamat, and lots of patience and hard work. There is nothing I do that 1000 other people in the world couldn’t do if they felt like it. Its still relatively easy to find and exploit these platforms.

    Se vuoi aggiornamenti su Pwn2Own 2010: interview with Charlie Miller inserisci la tua e-mail nel box qui sotto:

    Ho letto e acconsento l'informativa sulla privacy

    Si No

    Acconsento al trattamento dei dati personali di cui al punto 3 dell'informativa sulla privacy

    Si No


    1. Derek Currie dice:

      Much as I consider Dr. Charlie Miller to be a hero of the Mac community, I have to suggest that people inclined to use Windows 7 with any version of Internet Explorer, including version 8, get a second opinion. I personally could never recommend Internet Explorer to anyone, even with Adobe Flash disabled. Why? It has the worst security record of all web browsers. It is out of date with regards to Internet standards. It uses unsafe as well as non-standard Microsoft web technology such as ActiveX, JScript and Microsoft’s alternative HTML calls. Shoot the messenger, but please use something else.

    2. Boby B dice:

      couldn’t agree more, stay away from M$ IE.

    3. Timite Hassan dice:

      I can recommend Internet Explorer 8 on both Vista and Windows 7. On these two O.S it is among the best, if not the best, in terms of security as mentionned by Charlie Miller.

    4. G.J. dice:

      I can recommend IE8, but also Safari(!), because it is safer and it better in use(better designe, faster etc.)

    5. Piero dice:

      >> On these two O.S it is among the best, if not the best, in terms of security…

      but why? May you explain more, please?

    6. Derek Currie dice:

      G.J. sez: “I can recommend IE8, but also Safari(!), because it is safer and it better in use (better designe, faster etc.)”

      Faster? No. Microsoft themselves have apologized that version 8 is still slow relative to other browsers such as FireFox and Safari.

      Better in use? No. Version 8 still does not support all current Internet code standards.

      Design? Because version 8 now it has tabs like all the other browsers have had for years?

      Safer? Because it supports ActiveX and JScript, which have been proven to be UN-safe scripting languages?

      PLEASE justify your statement G.J. I certainly have justified mine and am happy to provide URLs that support all of my assertions. I’d also point anyone concerned about IE to security expert Steve Gibson of GRC for his opinion on the matter.


    7. G.J. dice:

      no, i mean Safari is better when others
      but IE8 in design is better when Opera, Chrome, or FF.

      I have bad english, sorry

    8. Pimmelbahn dice:

      @G.J.: Still, that justifies nothing. You just replaced one unjustified statement with another one. So you’ve added nothing of relevance.

      I’m a bit confused about which browsers and OSes are actually in his range. I assume he wouldn’t try to hack text browsers like Lynx. But actually, the only browsers he mentioned where Safari, Chrome and IE.

    9. JimD dice:

      Its funny. One of the best hackers in the world and people are still in denial about the security of IE8 on Win7…lol

    10. BroE dice:

      For a relatively secure browser at the moment, one might want to look at dillo

      1. It is incapable of running active content (no flash, no Java, no ActiveX, no JavaScript). This means the attack surface is smaller. You have to attack the layout engine, image processing, network, or rendering components. When you remove the easy ways to attack, a criminal will usually go looking for a more vulnerable target.

      2. It is relatively unknown and uses its own rendering engine so it would not be a promising target. Security through obscurity is not perfect, but it helps unless a hacker specifically targets you.

    11. Seventh Reign dice:

      The fact is, even THE most secure system in the universe CAN be hacked if someone is determined enough and has the time. There is no such thing as unhackable, period. Linux is simply much much much much MORE secure than Windows. It still is not and will never be 100% secure. Passwords can be figured out, fingerprints or other “scans” can be copied, voices can be imitated etc.

    12. Rob dice:

      IE8 is very secure because it fully
      utilizes DEP,
      utilizes ASLR
      uses protected mode lowering IE execution rights (sandbox)
      and also has secudary protection
      a crossscripting filter
      smartscreen malware filtering
      smartsreen Phising filtering.

      The combination of all of those techniques makes it very safe.
      There isn’t really malware currently available to trap a patched IE8 browser on Vista or W7 with.

    13. Anders HG dice:

      I have used Linux since 2007 and this is the first three-year-period my computer has been safe and secury as it could be. When i used Windows there was always malwares at least at the beginning of 3rd year.

      No doubt – Linux is as safe OS as it could be on this earth.

    14. apexwm dice:

      I would NEVER recommend IE to anybody, and I don’t trust it myself. I use Firefox on Linux, which is a proven stable and secure platform.

    15. EchoBravo dice:

      /*No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. */

      How about doing it on your own just for the bragging rights to be the first one do it Linux using Firefox. You already have the money. Talk is cheap. Make all those companies running servers and desktops be aware. Many governments and universities have switched to Linux desktop.

    16. LS dice:

      No hacking contest is complete without Linux involved.
      I’m sure this guy is biased because his job depends heavily on working with commercial software. He doesn’t want to look any less skillful by admitting he can’t hack Linux. Software is much like politics.

    17. Kamilion dice:

      Sorry to come in late on this — but there’s one big thing missing: Every copy of IE8 I’ve seen in the field is filled with TOOLBARS! Sometimes SIX OR MORE! All the users I talked to dutifully carried whatever the website told them to do… (I just got another user today insisting that “vista security 2010″ was legit… *sigh*)

    18. Pit London dice:

      I use opera and firefox on win xp and is work fast and stabill i never use any IE i just dont trast becouse i seen to many trap things.i use as well linux ,i dont like really what come wrom M$.
      ps. this is strange what saying charli millere or this is to much comersiall…….dont know???

    19. dc dice:

      First off, people don’t know what they are talking about. ActiveX is not a “scripting language”, it is a code container that allows to run browser extensions. I agree that it is very unsafe if you have some untested 3rd party ActiveX installed, but still please have your terms straight.

      As for JScript and ActiveX going away or not being supported on a Windows platform, I doubt that it will happen in the near future. The reasons? There are too many web sites and companies that rely their whole livelihood on those. Example would be Adobe Flash itself, which runs as an ActiveX component.

      As for IE not being as safe and secure as FF or Chrome for instance, I would agree with it. The reason being is not because MS wrote a bad code for it but because there are way too many hackers targeting Microsoft. It’s that plain and simple.

      As for the advice in this article not to use Flash and JScript in your browsers, I think it’s like saying, if you don’t want to get hurt stay in your basement. As you can imagine, that is not possible in today’s world, so everything has to be done in moderation and people should be educated about what to do and what not to do on the web.

      Have a safe browsing!

    20. Andrea dice:

      It’s funny to see that the myth of Linux security has become so entrenched that people would contradict even the best security hackers to keep the myth alive.

      Linux is nothing special, get over it.

    21. Jdashn dice:

      If linux security is a myth why does he not go for breaking linux/FF than OSX/Safari? Wouldnt it be worth the bragging rights seeing as how it’s not been done at Pwn2Own before?

    22. Ruvann dice:

      I don’t get the internet explorer recommendation. Serious flaws were the sole reason for attacks last year that made, if i recall correctly, the german government asking people not to use IE until those flaws were fixed.
      It was definitely no secret. That’s just one of the incidents i have heard of concerning weak seacurity in IE.

      I’m no pro or anything but from all the many reports, i believe IE to be the last resort.
      The only thing IE is useful for is using it once to download another browser :-D

    23. Oh For F's Sake dice:

      ActiveX hasn’t been a problem since IE4. Let me guess? Wikipedia? Firefox Forums? Urban Dictionary?

      Don’t even speak of secunia either, they have no system as to how “serious” an exploit is. If I see another “A malicious website can look like a banking site” security report labeled SERIOUS. Hell all their exploits involve you:
      A) Being stupid enough to enter personal information on a redirected site.
      B) Being stupid enough to visit “unsecure sites” (i.e. pornographic) and give out personal information.
      C) Being stupid enough to disable security precautions (yes, one of their exploits involves using a low browser security. It never triggered for me [and I think they had a message asking me to lower security so it would work])
      D) Being stupid.

      So obviously microsoft won’t bother, I mean… if you’re dumb enough to disable web browser security and get “infected” with bonzo buddy… you obviously shouldn’t be using a computer.

      In other words, IE doesn’t have security holes. IT HAS USERS. Firefox is secure ONLY because it makes it very difficult to disable security, while IE lets you do it in a few clicks.

      Now IE still isn’t into the whole “browser customization” market, I do believe… so Opera, Firefox, Chrome, w/e… they all support customization (and native Ad Blocking :D). Hence I use Opera… but IE really is just as secure… unlike what you kiddies seem to think.

    24. Great post. I was checking constantly this blog and I am impressed! Very useful information specifically the last part :) I care for such information much. I was seeking this certain info for a very long time. Thank you and best of luck.


    Your email address will not be published. Required fields are marked *