Securtiy Expert: Flash is the Root of all Web Browser insecurty

Discussion in 'Apple, Inc and Tech Industry' started by macfan881, Mar 1, 2010.

  1. macfan881 macrumors 68020

    Feb 22, 2006
    You're probably relatively confident in your various machines' integrity against hackers. Repeat Pwn2Own hacking competition victor Charlie Miller would like you to know that you're wrong—especially if you have Flash.

    In an interview with OneITSecurity, Miller picks off questions about hacking and security with just enough ease and nonchalance to make me queasy. Like, you know how Mac OS exploits are supposed to be tougher to root out than Windows exploits? Not quite! And they're both vulnerable:

    Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

    And obviously, Linux is fortress, right? Again:

    No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you're talking about. The organizers don't choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.

    And within a given operating system, surely you can ensure immunity from exploits by choosing a secure browser like Firefox. Surely. No? GUUUGHHH.

    [The safest browser is] Chrome or IE8 on Windows 7 with no Flash installed. There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!

    So the guy who consistently prevails Pwn2Own, a competition where hackers demonstrate exploits for sport, says that Flash, which is installed on about 98% of computers on the internet, unifies all browsers in insecurity, and that IE8, an Internet Explorer browser, in case you're having trouble unfolding that acronym, now ranks among the safest in its category. The slightly better news is, despite inherent insecurities that he doesn't bother to elaborate on, mobile smartphone platforms are relatively secure as compared to their desktop counterparts. So there's that.
  2. *LTD* macrumors G4


    Feb 5, 2009
    Having physical access to a machine makes Charlie Miller awesome, does it?
  3. mac2x macrumors 65816

    Sep 19, 2009
    Oh, gag! Another 'pwn2own' thread. :rolleyes: That. thing. is. worthless.

Share This Page