You'd think this guy was getting paid by the number of times he disses Mac and pimps Firefox on Windows...
This link has been bookmarked by 20 people . It was first bookmarked on 20 Mar 2009, by Ronnie LeDondo.
-
06 May 11
-
12 Mar 10
-
08 Sep 09
Sean Dagony-ClarkMac & Safari security exploits (and you thought it was impossible!)
RCS-EmrgTech-Articles RCS-EmrgTech-Problems RCS-EmrgTech-Software hacking hack security crime
-
28 Jul 09
-
05 Apr 09
FK_name FK_nameOn a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsers?
I was surprised. For IE 8, I’d give him a 9 out of 10. For Safari, maybe a 2. It’s just too easy to pop Safari. For Firefox on Windows, I give him a 10. That was the most impressive of the three. It’s really hard to exploit Firefox on Windows.
Really? What’s the difference between what you can do on IE but can’t do on Firefox?
The technique he used works against IE but not Firefox. It allows you to place code in a specific spot in memory. Mark Dowd and Alex Sotirov talked about this at last year’s Black Hat. You can use a technique to make .net not opt into the mitigations and jump over hurdled easily. With Firefox, you can’t do that.
For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.
You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three “high-value” bugs for $5,000 each?
It’s clear he’s incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.
For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac. -
01 Apr 09
-
20 Mar 09
-
Kevin RigginsRyan has a great interview of Charlie Miller, one of the winners of the pwn2own contest at CanSecWest.
-
Walid DamounyFresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underl
InternetExplorer MacOSX GoogleChrome security hacking Apple webbrowser ZDNet Pwn2Own from-delicious Safari Firefox Windows
-
-
It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
-
Add Sticky NoteFor all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.
-
-
Public Stiky Notes
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.