Abs.Net web Page

Share Your Knowledge, Build your Network..

Apple and Internet Explorer, Two Browsers First to Go Down in Hacking Contest

Posted by Hari Saryono on 3 April 2009


 

Apple’s Safari and Internet Explorer were the first to go down in round one of the Pwn2Own hacking contest being held at the CanSecWest Conference being held in Vancouver, B.C. I first mentioned the Pwn2Own contest in a blog last month. The contest is the brain-child of CanSecWest founder DragosRuiu. Its goal is to reward researchers that exploit vulnerabilities in hardware and software.

Analyst Charlie Miller was able to exploit a vulnerability in Apple’s Safari Browser earning him $5,000 and an Apple laptop. The exploit was actually a leftover exploit from last year that Apple never fixed. A computer science student from Oldenburg University in Germany was able to exploit Internet Explorer 8, which ran on Microsoft’s new Windows 7 operating system. The student, who wanted to remain unidentified, took home a Sony Vaio and $5,000 in cash.

I think that this just reinforces what every security professional believes, and that’s no matter how hard application developers work, there will always be vulnerabilities. The fact that it happened so quickly to a browser is of special concern because these applications open our systems up to the Internet. We will not know the details of the hack for a while because  the contestants agreed not to release them as part of winning the prize. However we do know that Apple’s browser was hacked within seconds with an exploit that was over a year old. Internet Explorer 8 was not even in candidate release and it was hacked along with Firefox.

Now, I guess you can make the case that these hackers attacked a specific version of the software, and it was at a certain patch level, and running on a specific hardware platform. If you believe this, then I have a left handed computer to sell you. So what can we do to protect ourselves? Here is a short list:

  1. Keep your software at the latest patch version
  2. Adopt a layered security model
  3. Use intrusion detection/prevention
  4. Consider a data loss prevention solution
  5. Create an Acceptable Use Policy and train users on the policy
  6. Perform penetration testing at least annually
  7. Review inhouse code with an eye toward security
  8. Make security everyone’s responsibility
  9. Use an open source browser
  10. Keep your resume up to date

I would have to agree with Lora Bentley’s blog, Firefox, IE Battle it out for Browser Market. Lora cited a pole by vnunet.com where the majority of participants favored an open source browser like Firefox. Many of my clients have switched from Internet Explorer to Firefox. The reason cited is because it’s open source, the bugs are published and well known and are fixed a lot faster.

I will leave you this parting thought; if this guy could hack Safari with so little effort, what could someone do who had a lot of time?

Sources:

www.itbusinessedge.com

About these ads

One Response to “Apple and Internet Explorer, Two Browsers First to Go Down in Hacking Contest”

  1. trends watch : Apple and Internet Explorer, Two Browsers First to Go Down in ……

    …A computer science student from Oldenburg University in Germany was able to exploit Internet Explorer 8, which ran on Microsoft’s new Windows 7 oper……

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: