Hacker finds 20 exploits in Apple, Adobe & Microsoft software.
Charlie Miller has won the hacking contest for a third time, and this time he’s taking the prize and secrets home and not sharing either!
Charlie Miller a three time winner of a hacking contest named Pwn2Own was able to exploit Apple & Microsofts software 20 different ways, and he is so tired of lack of progress in security that he won’t reveal the 20 exploits. He claims security is such a “broken record” that he won’t hand over 20 vulnerabilities he’s found in Apple’s, Adobe’s and Microsoft’s software.
Disgusted with progress made in security, Charlie Miller will not reveal the 20 exploits but will instead teach the vendors how to find the bugs themselves.
Miller, successfully exploited Safari on a MacBook Pro notebook running Snow Leopard winning $10,000 in the hacking contest. Miller says, “We find a bug, they patch it. We find another bug, they patch it. That doesn’t improve the security of the product. True, [the programs] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”
Millers secret is the use of small programs he creates and runs called “dumb fuzzers”, they automatically search for flaws in software by inserting data and finding where the program fails. Fuzzing is the most common technique used by hackers and outside researchers. Fuzzing is even commonly used by developers to spot bugs before release. Microsoft claims to use fuzzing as part of its Security Development Lifecycle, which is the process of baking security into products as they are created.
Miller’s fuzzer revealed 20 exploits across a wide range of applications including other vulnerabilities.
Exploits found by Miller
- Apples Mac OS X 10.6, aka Snow Leopard
- Apples Safari browser
- Microsoft’s PowerPoint presentation maker
- Adobe’s popular PDF viewer, Reader.
- OpenOffice.org, the open-source productivity suite.
Miller says, “People will criticize me and say I’m a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them,” Miller said. “What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing.” That, Miller explained, would mean more secure software.
What really disappointed Miller was how easy it was to find these bugs. “Maybe some will say I’m bragging about finding the bugs, that I can kick ass, but I wasn’t that smart. I did the trivial work and I still found bugs.”
“But I found bugs, lots of bugs”, said Miller.
Miller did not expect to find any vulnerabilities with his dumb fuzzer said, “But I found bugs, lots of bugs. That was both surprising and disappointing.” And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn’t found these bugs long ago.
One researcher with three computers shouldn’t be able to do beat the efforts of entire teams, Miller argued. “It doesn’t mean that they don’t do [fuzzing], but that they don’t do it very well.”
By refusing to hand over technical information about the vulnerabilities he uncovered, Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better. “I think they’ll feel some pressure to find these bugs,” he said.
Miller used one of the flaws he found by dumb fuzzing yesterday to exploit Safari on a MacBook Pro, winning him that notebook, $10,000 and a free trip to Las Vegas this summer to the DefCon hacking conference.
Miller also won cash prizes at Pwn2Own in 2008 and 2009 successfully hacking the Mac.