Apple and Internet Explorer, Two Browsers First to Go Down in Hacking Contest
Posted by Hari Saryono on 3 April 2009
Apple’s Safari and Internet Explorer were the first to go down in round one of the Pwn2Own hacking contest being held at the CanSecWest Conference being held in Vancouver, B.C. I first mentioned the Pwn2Own contest in a blog last month. The contest is the brain-child of CanSecWest founder DragosRuiu. Its goal is to reward researchers that exploit vulnerabilities in hardware and software.
Analyst Charlie Miller was able to exploit a vulnerability in Apple’s Safari Browser earning him $5,000 and an Apple laptop. The exploit was actually a leftover exploit from last year that Apple never fixed. A computer science student from Oldenburg University in Germany was able to exploit Internet Explorer 8, which ran on Microsoft’s new Windows 7 operating system. The student, who wanted to remain unidentified, took home a Sony Vaio and $5,000 in cash.
I think that this just reinforces what every security professional believes, and that’s no matter how hard application developers work, there will always be vulnerabilities. The fact that it happened so quickly to a browser is of special concern because these applications open our systems up to the Internet. We will not know the details of the hack for a while because the contestants agreed not to release them as part of winning the prize. However we do know that Apple’s browser was hacked within seconds with an exploit that was over a year old. Internet Explorer 8 was not even in candidate release and it was hacked along with Firefox.
Now, I guess you can make the case that these hackers attacked a specific version of the software, and it was at a certain patch level, and running on a specific hardware platform. If you believe this, then I have a left handed computer to sell you. So what can we do to protect ourselves? Here is a short list:
- Keep your software at the latest patch version
- Adopt a layered security model
- Use intrusion detection/prevention
- Consider a data loss prevention solution
- Create an Acceptable Use Policy and train users on the policy
- Perform penetration testing at least annually
- Review inhouse code with an eye toward security
- Make security everyone’s responsibility
- Use an open source browser
- Keep your resume up to date
I would have to agree with Lora Bentley’s blog, Firefox, IE Battle it out for Browser Market. Lora cited a pole by vnunet.com where the majority of participants favored an open source browser like Firefox. Many of my clients have switched from Internet Explorer to Firefox. The reason cited is because it’s open source, the bugs are published and well known and are fixed a lot faster.
I will leave you this parting thought; if this guy could hack Safari with so little effort, what could someone do who had a lot of time?