Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.
One of the most common questions is why Miller and his colleagues do not report their bugs to Apple or make them public. He is very honest about this, and explains it’s a simple matter of economics. There’s a market for exploits. “Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away,” Miller explains, “Apple pays people to do the same job so we know there’s value to this work.” He says he could’ve gotten a lot more money for the exploit than the 5000 USD prize he won yesterday, but he chose to enter the contest because he likes showcasing what he can do, and of course the headlines for his company.
He went on to explain that the Internet Explorer/Windows exploit found by cracker Nils is worth a hell of a lot more than his own Safari/Mac exploit “by about a factor of ten”. “You can get paid a lot more than $5,000 for one of those [IE/Win] bugs,” says Miller, “I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he [Nils] did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.” He added he was very impressed by what Nils did, especially the Firefox/Windows exploit, which he gave a 10 out of 10. “It’s really hard to exploit Firefox on Windows.”
Miller repeated his claim that Mac OS X is easy to exploit. He makes a clear distinction between the browser and the underlying operating system, stating that for example while Firefox on Windows is very hard to crack, Firefox on Mac OS X is easy, because Mac OS X lacks all the anti-exploit features Windows has built-in. “The things that Windows do to make it harder [for an exploit to work], Macs don’t do,” Miller says, “Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.”
As an example, he takes his winning exploit. “With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.” He added that all browsers have holes, but that writing exploits for those holes is harder on Windows than it is on Mac OS X.
When it comes to Chrome, Miller is positive about the sandboxing technology in the browser, explaining that you need two bugs in order to create a Chrome exploit; a bug in the browser, and a bug that gets you past the sandboxing. “There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it,” he states, “It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things – you can’t execute on the heap, the OS protections in Windows, and the Sandbox.”
I just don’t know what to think of Miller and other people like him. I see no moral obligation for them to help out other companies make money off their work on finding exploits, and he’s quite right in asking why he should do the work that Apple or Microsoft employees get paid to do for free. However, at the same time, there’s also the responsibility of the general public. When it comes to open source projects, the question is a bit simpler for me.
As Miller says: “It’s all economics.”
Miller seems to take care to differentiate the difference between security of an operating system and built-in operating system preventative measures.
They are two very different things.
The fact that OS X does not have the same preventative measures Windows has like randomization, no execute bits, etc, does not mean OS X is an insecure operating system. It just means once you have a vehicle into the operating system its easier to take advantage.