For the longest time in hacker folklore Internet Explorer and Microsoft Windows were the key targets and most exploitable while Macintosh and Safari were virtually ignored. But times they are a-changin’, roles are reversing, and Google’s Chrome comes out as a dark horse.
Researchers entering the Pwn2Own browser exploit contest at CanSecWest in Vancouver delivered bad news to all three major Web browsers. IE, Safari, and Firefox were all cracked, leaving Google’s Chrome unbroken. When the researchers took a crack at smartphones like the iPhone, Blackberry, and Android, they also fell short.
Charlie Miller
But the bigger news is the insight Charlie Miller, a security researcher for Independent Security Evaluators who cracked a fully patched MacBook Air through Safari, gave ZDNet in an interview. Miller labeled Mac OS as the easiest of the bunch to exploit while naming Firefox on Windows machines one of the most difficult, and Chrome as almost impossible.
The difficulty Chrome presents, said Miller, is a reason why hackers, especially those in the contest, largely ignore it. Google’s browser is just too much work.
“There are bugs in Chrome but they’re very hard to exploit,” he explained. “I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve [sic] got that sandbox model that’s hard to get out of… I might have this bug and I might be able to get code execution. But now you’r ein [sic] a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar. “
On the other hand, Mac OS is the easiest, and with rising popularity of Apple machines, it becomes a more attractive target. Over the decades, the sheer ubiquity of Windows machines made Microsoft the biggest target, leaving Mac machines virtually ignored by the hacker community.
Miller suggests it’s the operating system more than the browser these days, and the folks at Microsoft have made it very difficult to exploit Windows via anti-exploit mitigations and randomization, “two hurdles” lacking on Macs.
While Firefox is just slightly more difficult to exploit than IE 8, in Miller’s estimation, the killer combination is Firefox on Windows. “It’s really hard to exploit Firefox on Windows,” he said. “For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.”