Apple's Safari and Internet Explorer were the first to go down in round one of the Pwn2Own hacking contest being held at the CanSecWestConference being held in Vancouver, B.C. I first mentioned the Pwn2Own contest in a blog last month. The contest is the brain-child of CanSecWest founder DragosRuiu. Its goal is to reward researchers that exploit vulnerabilities in hardware and software.
Analyst Charlie Miller was able to exploit a vulnerability in Apple's Safari Browser earning him $5,000 and an Apple laptop. The exploit was actually a leftover exploit from last year that Apple never fixed. A computer science student from Oldenburg University in Germany was able to exploit Internet Explorer 8, which ran on Microsoft's new Windows 7 operating system. The student, who wanted to remain unidentified, took home a Sony Vaio and $5,000 in cash.
I think that this just reinforces what every security professional believes, and that's no matter how hard application developers work, there will always be vulnerabilities. The fact that it happened so quickly to a browser is of special concern because these applications open our systems up to the Internet. We will not know the details of the hack for a while because the contestants agreed not to release them as part of winning the prize. However we do know that Apple's browser was hacked within seconds with an exploit that was over a year old. Internet Explorer 8 was not even in candidate release and it was hacked along with Firefox.
Now, I guess you can make the case that these hackers attacked a specific version of the software, and it was at a certain patch level, and running on a specific hardware platform. If you believe this, then I have a left handed computer to sell you. So what can we do to protect ourselves? Here is a short list:
Keep your software at the latest patch version
Adopt a layered security model
Use intrusion detection/prevention
Consider a data loss prevention solution
Create an Acceptable Use Policy and train users on the policy
Perform penetration testing at least annually
Review inhouse code with an eye toward security
Make security everyone's responsibility
Use an open source browser
Keep your resume up to date
I would have to agree with Lora Bentley's blog, Firefox, IE Battle it out for Browser Market. Lora cited a pole by vnunet.com where the majority of participants favored an open source browser like Firefox. Many of my clients have switched from Internet Explorer to Firefox. The reason cited is because it's open source, the bugs are published and well known and are fixed a lot faster.
I will leave you this parting thought; if this guy could hack Safari with so little effort, what could someone do who had a lot of time?