The only investigator to “ three - peat ” at the Pwn2Own hack contest said on Thursday that certificate is such a “ break record ” that he wo n’t pass over 20 vulnerabilities he ’s encounter in Apple ’s , Adobe ’s and Microsoft ’s software package .
rather Charlie Miller will show the vendors how to find the bug themselves .
Miller , who on Wednesday work Safari on a MacBook Pro notebook runningSnow Leopardtowin $ 10,000 in the hacking challenge , enounce he ’s tired of the lack of progress insecurity . “ We find a microbe , they patch it , ” said Miller . “ We find another bug , they patch it . That does n’t improve the security of the product . True , [ the software ] gets incrementally in force , but they actually need to make gravid improvements . But I ca n’t make them do that . ”
Using just a few lines of code , Miller crafted what he called a “ obtuse fuzzer , ” a tool that automatically searches for flaws in software by inserting datum to see where the program fails . Fuzzing is a common proficiency used not only by outside researchers , but by developers to spot bug before they give up the software . Microsoft , for case , haslong touted , and used , fuzzing as part of its Security Development Lifecycle ( SDL ) , the term for its in - house process of baking certificate into products as they ’re created .
Miller ’s fuzzer promptly uncovered 20 vulnerabilities across a image of applications as wellvulnerabilitiesinApple ’s Mac OS X 10.6 , aka Snow Leopard , and its Safari web web browser . He also found the fault in Microsoft ’s PowerPoint presentation maker ; in Adobe ’s popular PDF viewer , Reader ; and in OpenOffice.org , the unresolved - source productivity suite .
Miller was to take the floor on Thursday at CanSecWest , the Vancouver , British Columbia - based surety conference that also hosts Pwn2Own , to demonstrate how he found the vulnerabilities . He hope Apple , Microsoft and other seller would listen to what he has to say .
“ People will pick apart me and say I ’m a spoilt guy for not pass over [ the vulnerability ] , but it actually makes more sense to me tonottell them , ” Miller said . “ What I can do is tell them how to find these bugs , and do what I did . That might get them to do more fuzzing . ” That , Miller maintained , would think of more secure software program .
What really disappoint Miller was how easy it was to find these bugs . “ possibly some will say I ’m bragging about notice the bugs , that I can plain ass , but I was n’t that smart . I did the trivial employment and Istillfound bugs . ”
He break down into the project figure that he would n’t find any exposure with the mute fuzzer . “ But I found bugs , lots of germ . That was both surprising and disappointing . ” And it also made him ask why vendor like Microsoft , Apple and Adobe , which have teams of security system engine driver and score of automobile lead fuzzers attend for flaw , had n’t find these bugs long ago .
One investigator with three computing equipment should n’t be able to do beat the efforts of entire teams , Miller argued . “ It does n’t mean that they do n’t do [ fuzzing ] , but that they do n’t do it very well . ”
By refusing to hand over expert data about the vulnerabilities he bring out , Miller is reckon that Microsoft , Apple and others will duplicate his work , and possibly , just maybe , be prompt to do best . “ I think they ’ll sense some pressure to find these bugs , ” he said .
Miller used one of the flaws he find oneself by dumb fuzzing to exploit Safari on a MacBook Pro , walking off with the notebook computer , $ 10,000 and a free trip to Las Vegas this summer to the DefCon hacking conference .
Miller also won Johnny Cash swag at Pwn2Own in 2008 and 2009 , each time byexploiting a Safari vulnerabilityon the Mac .
