Legendary bank robber Willie Sutton was made famous for allegedly explaining why he robbed banks with the answer: "Because that's where the money is." So why do cyber crooks attack Web browsers? Because that's where the user is.
But maybe a more accurate answer is: "Because that's where the vulnerabilities are." At least, that was the answer given by a 25-year-old German computer science student known only as "Nils," who last week proudly showcased three brand new exploits for remotely hijacking the most popular Web browsers, including Firefox, Safari and the last beta release of Microsoft's Internet Explorer 8.
Nils was competing in the "Pwn2Own" contest at the CanSecWest security conference in Vancouver. That contest, sponsored by 3Com's TippingPoint, awarded contestants $5,000 per browser bug. The first person who can crack any of the browsers was allowed to keep the laptop it was running on (TippingPoint purchases information about unpatched security flaws but alerts the affected vendor and keeps the bug under wraps until the vendor has a chance to patch the vulnerability).
"Browser security is hard to get right, because you have a lot of technology in these programs which is exposed to the Internet, and when it's exposed to he Internet it's also exposed to hackers," Nils said. "When you have the large code bases that these programs have, it's very hard to get these things right, and I think I was able to show that none of the current browsers are really secure."
Nils won $5,000 and a Sony Vaio netbook for his IE8 vulnerability (which Microsoft fixed the very next day in its release of the first non-beta version of IE8) plus another $5,000 each for the Firefox and Safari bugs.
Nils, a student at German's University of Oldenburg, said he opted not to divulge his full name because he didn't want to be pestered by less-than-scrupulous individuals who try to purchase information about unpatched vulnerabilities for criminal purposes.
"Most of the people interested in buying vulnerabilities aren't the kind of people I want to talk to, because there are some really shady people out there looking for this information who are using it for illegal purposes," Nils said. "So, while it is probably true what people have been saying -- that I could have probably made a lot more money selling these bugs on the open market -- I think $15,000 is a nice amount of money."
Both the Firefox and Safari vulnerabilities that he proved were exploited on a Mac OS X system. The German hacker said the latest versions of both Firefox and IE take full advantage of features built in to Windows Vista that make it far more difficult to reliably exploit than on the current version of OS X. Those features, including "data execution prevention" (DEP) and "address space layout randomization," (ASLR) don't appear to be properly implemented between OS X and versions of Safari and Firefox built for that operating system, Nils said.
"It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista," he said.
Attackers usually craft exploits so that they write data or programs to very specific, static sections in the operating system's memory, but ASLR counters that approach by constantly moving those points to different positions. DEP makes it so that even if the attacker succeeds in guessing the location of the memory location point they're seeking, the code placed there will not execute or run.
While few cyber crooks are attacking Mac users through Safari and Firefox at the moment, that may change soon if a large number of Windows users migrate to Windows 7, the successor to Windows Vista, due to be released sometime later this year.
"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."
Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators, also won a Macbook and $5,000, for developing an exploit for a previously unknown critical flaw in Safari on Mac OS X.
"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in certain spot, and that it would [execute], and in Vista neither of those things would have happened."
Interestingly, none of the contests managed to find a remotely exploitable vulnerability in Google's Chrome, the other remaining browser targeted in the Pwn2Own contest.
