• HOME
• CONSULTANCY
• INSTALLATION
• SUPPORT
• HOSTED SERVICES
• RESCUE CENTRE
• TESTIMONIALS
• CONTACT

Lucid Nonsense

Security Concerns

The Pwn2Own contest got off to an interesting start this week and has left me feeling a little concerned. Oddly this is not actually much to do with the fact that Safari on Leopard was the first to fall. I’ll take a brief detour and explain why that isn’t preying on my mind too greatly at the moment…

…The flaw is reported to have been easy, compared to the alternatives, primarily because Leopard’s implementation of ASLR isn’t particularly brilliant. In fact it kind of misses the point with some things (dyld loads at the same address every time for instance). Basically it’s there but not as effective as it should be. Similarly Sandboxing in Leopard also isn’t used as effectively as it could be. Vista and Windows 7 have a good ASLR implementation, on apps that support it, however any version of Internet Explorer prior to 8 runs without ASLR support. So while Safari on Leopard loses some ground on security compared to people running IE8 on Vista or Windows 7, it doesn’t against earlier versions of IE running on older versions of Windows. Seeing as IE8 has been out for just a few weeks, Windows 7 hasn’t been released at all, and Vista’s uptake has not been particularly stellar, it actually compares fairly well with the vast majority of PCs out there.

Furthermore it’s worth noting that IE8 still fell on the first day, and while all except Chrome were hacked, this is a direct hacking contest and doesn’t necessarily correlate with the chance of increased risk from viruses and trojans. Mac OS X still remains at a very low threat from those particular menaces, due to a number of factors including other security designs, that are probably more applicable to “real world” security threats.

What does need to happen is that Apple implement ASLR properly for Snow Leopard (and I honestly have no idea if that’s on the cards, but it would be nice) and increase the use of sandboxing, something that made Chrome partcularly hard to exploit. Leopard has started to feel a bit like a “stepping-stone” to Snow Leopard from both the client and server perspective, something I’ll go into in more detail later this week. Hopefully these security technologies in particular are something that while introduced in Leopard will be properly refined in it’s successor.

So in general this is a local bug that I don’t think will have much, if any, real world impact and I’m reasonably sure that in a few months time it’ll have been effectively closed off with the release of the latest version of OS X.

Anyway, back to my main concern…

…The drive to increase security always appeared to be a major goal of hacking events; a positive feedback loop that helps increase OS and app security. What I find unusual is what appears to be a new point of view from a security researcher, in particular Charlie Miller stated:

“I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away”

First off I entirely understand people need to make money. I also understand that a lot of work can go into writing these hacks. However the security community has generally worked with the understanding that vendors would be informed of the bugs so that the bugs could get fixed. Saying that the bugs have a market value worries me as there is only one single legal buyer for a bug in Mac OS X or Safari: Apple. There is of course another group of purchasers for vulnerabilities but it, to put it mildly, isn’t particularly legitimate. That, to me, isn’t a genuine market.

So effectively the position Charlie Miller is taking is that unless Apple give him money, he won’t tell them the bug so that it can be fixed. Personally I just feel a little uncomfortable with that position. Surely competitions like this allow security researchers to get some great PR, a reasonable price, get their name around, and build up a reputation for themselves? They can then earn their money with the consultancy that they can sell on the back of their reputation. I have done several unpaid conferences and presentations purely on the basis of getting my name “out there” and as a bit of extra advertising and PR.

I know Apple have absolutely no shortage of money, and they could easily pay the “going rate” for bugs and perhaps they should. I just feel that it’s an odd position for a security researcher to take and certainly isn’t what I’d class as the moral high ground in this particular instance. I think what best sums it up is if I was in that position, and had spent that much time on the hack, I would feel that handing the exploit over to Apple to fix would still be the right thing to do.