Browsers First to Go Down in Hacking Contest

Ralph DeFrangesco

Apple's Safari and Internet Explorer were the first to go down in round one of the Pwn2Own hacking contest being held at the CanSecWestConference being held in Vancouver, B.C. I first mentioned the Pwn2Own contest in a blog last month. The contest is the brain-child of CanSecWest founder DragosRuiu. Its goal is to reward researchers that exploit vulnerabilities in hardware and software.

 

Analyst Charlie Miller was able to exploit a vulnerability in Apple's Safari Browser earning him $5,000 and an Apple laptop. The exploit was actually a leftover exploit from last year that Apple never fixed. A computer science student from Oldenburg University in Germany was able to exploit Internet Explorer 8, which ran on Microsoft's new Windows 7 operating system. The student, who wanted to remain unidentified, took home a Sony Vaio and $5,000 in cash.

 

I think that this just reinforces what every security professional believes, and that's no matter how hard application developers work, there will always be vulnerabilities. The fact that it happened so quickly to a browser is of special concern because these applications open our systems up to the Internet. We will not know the details of the hack for a while because the contestants agreed not to release them as part of winning the prize. However we do know that Apple's browser was hacked within seconds with an exploit that was over a year old. Internet Explorer 8 was not even in candidate release and it was hacked along with Firefox.

 

Now, I guess you can make the case that these hackers attacked a specific version of the software, and it was at a certain patch level, and running on a specific hardware platform. If you believe this, then I have a left handed computer to sell you. So what can we do to protect ourselves? Here is a short list:

 

Keep your software at the latest patch version


Adopt a layered security model

Use intrusion detection/prevention

Consider a data loss prevention solution

Create an Acceptable Use Policy and train users on the policy

Perform penetration testing at least annually

Review inhouse code with an eye toward security

Make security everyone's responsibility

Use an open source browser

Keep your resume up to date

 

I would have to agree with Lora Bentley's blog, Firefox, IE Battle it out for Browser Market. Lora cited a pole by vnunet.com where the majority of participants favored an open source browser like Firefox. Many of my clients have switched from Internet Explorer to Firefox. The reason cited is because it's open source, the bugs are published and well known and are fixed a lot faster.

 

I will leave you this parting thought; if this guy could hack Safari with so little effort, what could someone do who had a lot of time?



Add Comment      Leave a comment on this blog post
Apr 1, 2009 1:33 AM Rhett Rhett  says:

What could someone do who had the source code?

Reply
Apr 1, 2009 2:30 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Rhett

Rhett,

Great question. Having Open Sourced software gives the good guys, and bad, the ability to find vulnerabilities if there are any. Hopefully the good guys find them first and fix them.

-Ralph

Reply
Apr 1, 2009 4:32 AM Randy Randy  says:

How log did it take to hack IE 8?

Reply
Apr 1, 2009 5:03 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Randy

Randy,

I searched several sites and could not find the time it took to hack it. I know it took longer than Firefox and Safari. If you do find it, please post it here.

Thank you,

-Ralph

Reply
Apr 1, 2009 6:20 AM jeb jeb  says:

BTW - source code for virtually anything is easily obtainable (yes, even windows)  at least open source doesn't try to hide it..

Reply
Apr 1, 2009 10:48 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to jeb

Jeb,

Source code is generally not availble for commercial software. Although Microsoft is getting better at making SOME of its software code available, the majority by far is not available.

You are correct, open source does not try and hide anything. It would be very difficult to.

-Ralph

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data