Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 22 March 2010 10:42

Prediction: Pwn2Own will make Apple look bad

By

You'll almost certainly see a flood of articles dumping on the insecurity of Apple's products this week. Here's why you should take them with a pinch of salt.


The annual Pwn2Own contest starts today at the CanSecWest conference in Vancouver, Canada.

In a nutshell, competitors have to demonstrate remote code execution with minimal user interaction. The first to succeed wins the attacked device (laptop or mobile phone), $US10,000 cash, and certain benefits.

This year's targets are Microsoft Internet Explorer 8 on Windows 7, Mozilla Firefox 3 on Windows 7, Google Chrome 4 on Windows 7, and Safari 4 on Mac OS X Snow Leopard.

That's for the first day of competition. Windows 7 is replaced with Vista on day two, and XP on day three.

On the mobile phone side, the targets are iPhone (3GS), BlackBerry (Bold 9700), Symbian S60 (Nokia), and Android (Motorola).

What's wrong with media coverage of the Pwn2Own results? Please read on.



To win, competitors will have to demonstrate a real, working exploit for a previously undisclosed vulnerability.

Don't be fooled by anyone that tries to downplay the winning exploits with statements like "but I never visit untrustworthy sites." There have been sufficient attacks where content has been modified in some way or malicious ads loaded onto servers to rule that out as a security strategy. Even bona fide government sites have been hacked.

There are two main problems with the coverage you'll see this week.

Firstly, it's almost certain that we'll see headlines along the lines of "iPhone first to fall in Pwn2Own hacking competition".

Why? Because the organisers have a random draw to determine the order in which competitors get to show their stuff, and the first spot has gone to a pair targeting the iPhone.

The second competitor is 2008 and 2009 winner Charlie Miller, who is again targeting Safari. (Yes, Miller was first to go in 2009, but Safari, Internet Explorer 8 and Firefox were all compromised in the same round of the competition.)

Why does that matter? What's the second problem? See page 3.



You don't enter this sort of contest unless you already have an exploit, so it's almost certain that the iPhone and Safari-on-Snow-Leopard will be the first platforms to fall this year.

And that brings us to the second problem. A considerable number of commentators made a big deal about the way Miller took less than two minutes to compromise Safari last year. How long do you think it takes to use an exploit?

It's not as if competitors are put in a closed room with a browser and operating system they've never seen before. Entrants typically spend weeks or months looking for flaws and then working out how they can be exploited.

So they arrive at the conference with a ready-made exploit, and typically all that's needed is to type a URL into the browser.

Consequently, there's no point in trying to read anything into how 'quickly' any entrant appears to defeat any of the platforms.

In the hope of staving off ill-informed comments (informed and thoughtful comments are always welcome, even if they take a contrary view), I'll close with a recap: the vulnerabilities revealed by the Pwn2Own contest almost certainly represent genuine security threats, but the nature of the competition means that neither the order in which the browsers are defeated nor the time taken to use an exploit tells us anything about their relative security.

 


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments