Tuesday, March 3, 2009

Safari Browser = Target Rich Environment

Zero Day make predictions about the upcoming "Pwn2Own" hacking contest, and this sounds about right (my comments in brackets):
  • Safari: hacked by 4 different people. Easy pickin’s as usual. [Complacency, thy name is Apple - Ted]
  • Android: hacked by 1 person. Not too tough but no one owns one. ["Security through Obscurity" only works when your market share is less than 5% - Ted]
  • IE8, Firefox: Survive unscathed. The bugs to exploit equation is too hard for $5k. [Microsoft has put a ton of effort into securing IE. ActiveX is still a major weakness, though; basically it lets any old web site load machine executable code into your browser, which is Really Bad Juju. - Ted]
  • iPhone, Symbian: Survive due to non-executable heap. [Architecture counts. See ActiveX comment, above. - Ted]
  • Blackberry, Windows Mobile, Chrome: I don’t know enough to say anything intelligent. That said, they’re probably hard/obscure and so survive. [Chrome is the only one here that has survived any sort of scrutiny. - Ted]
The biggest concern for most readers here is the Safari browser. There's a solid and growing market share, which is attracting attention by the Bad Guys (or Good Guys, in the case of this challenge). Combine this with Apple's arrogant attitude in general and their view of security in particular (Microsoft is the one with the problem), and this looks like a Bad Moon Rising.

Apple is in Condition White when it comes to Safari security. I'm pretty sure that if you have a Mac, you should switch to Firefox.

5 comments:

  1. There's another option for Mac users too.

    Camino

    I don't know about security, but it's a mozilla product like Firefox, but is smaller, faster, lighter and not so much of a resource hog.

    It doesn't have a ready supply of plugins like firefox does, and it doesn't have a built-in RSS reader, but if neither of those bother you, I'm pretty impressed with it. The only reason I've stuck with firefox instead of going to Camino is because of the lack of RSS reader.

    ReplyDelete
  2. Curt, thanks for the pointer. A quick check shows that this is built off the Mozilla Gecko rendering engine, so it inherits a lot of security fixes from the Mozilla/Firefox line.

    It also means that you may have many of the same security issues that Firefox has, but this should be much less than you'll get with Safari, at least for the near future.

    It also looks like it gets regular security updates.

    ReplyDelete
  3. I want a non executable heap!
    For some reason Firefox doesn't work very good with my Asus Eeepc's tiny little Atom processor and XP-Home?

    ReplyDelete
  4. Non-executable heaps should be required - the breakdown of the code/data dichotomy is one of the biggest concerns in modern programming security.

    I find that Firefox tends to be a bit of a resource hog, which is why I tried Chrome (even better security, but even more of a resource hog).

    I'll bet that if you rebuilt your own Linux kernel, you'd get better performance on Linux/Atom than XP/Atom, though.

    ReplyDelete
  5. Oh-uh-er-ah - rebuilding a kernel, not in this pixel-pusher's bag of tricks. Close as I get to Linux is a friend who works at Red Hat. :-)
    I just find it unfortunate that I have to use IE on the poor little machine.
    Its sole purpose in life is to accompany us on vacation to store digi-pics, and to access the United Airlines website for the elusive 24-hr prior to departure travel upgrade-window for the $12.50 per inch extra 4-inches of Economy Plus. At my wife's demand. :-)

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.