Pownce Refugees

Keeping the community alive, post Pownce

Pwn2Own winner tells Apple, Microsoft to find their own bugs

Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader

March 25, 2010, 04:29 PM — Computerworld

The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's

Instead Charlie Miller will show the vendors how to find the bugs themselves.

Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win
in the hacking challenge, said he's tired of the lack of
progress in security
. "We find a bug, they patch it," said Miller. "We find another bug,
they patch it. That doesn't improve the security of the product. True,
[the software] gets incrementally better, but they actually need to make
big improvements. But I can't make them do that."

Using just a few lines of code, Miller crafted what he called a "dumb fuzzer," a tool that automatically searches for flaws in software by inserting data to see where the program fails. Fuzzing is a common
technique used not only by outside researchers, but by developers to
spot bugs before they release the software. Microsoft
, for example, has long
, and used, fuzzing as part of its Security Development
Lifecycle (SDL), the term for its in-house process of baking security
into products as they're created.

Miller's fuzzer quickly uncovered 20 vulnerabilities across a range of applications as well vulnerabilities in Apple
's Mac OS X 10.6, aka Snow Leopard, and its Safari browser. He also
found the flaws in Microsoft's PowerPoint presentation maker; in Adobe's
popular PDF viewer, Reader; and in OpenOffice.org, the open-source
productivity suite.

Today, Miller was to take the floor at CanSecWest, the Vancouver, British Columbia-based security conference that also hosts Pwn2Own, to demonstrate how he found the vulnerabilities. He hoped Apple, Microsoft
and other vendors would listen to what he has to say.

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these
bugs, and do what I did. That might get them to do more fuzzing." That,
Miller maintained, would mean more secure software.

Views: 11


You need to be a member of Pownce Refugees to add comments!

Join Pownce Refugees

© 2017   Created by Heidi Cool.   Powered by

Report an Issue  |  Terms of Service