At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?
“It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.”
This is a commentary on Windows more than Internet Explorer. As Miller pointed out, “it’s more about the operating system than the program”. This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.
Miller even goes on to suggest that Firefox, and particularly Google’s Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft’s efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.