Researcher Finds 20 Preview, Safari Security Holes

[Paul Daniel Ash]

Internet security researcher Charlie MIller will release the results of research he's done to uncover 30 security holes in Mac OS X to the CanSecWest security conference in Vancouver later this month. According to a report by Forbes, the guy who won a MacBook Air at Pwn2Own the past two straight years is not sure whether he will tell Apple what the flaws are: he says he might hold on to them for this year's challenge.

Miller worked for five years at the US National Security Agency as a "global network explaoitation analyst," finding weaknesses and vulnerabilities in computer networks for the US government spies, reportedly carrying out multiple hacks against foreign targets. As a private citizen, he started Independent Security Evaluators, a consulting firm, showing service providers how to harden their Web code against attack. Miller has been very public in his focus on the vulnerabilities of Apple software, being the first to discover a security hole in Mobile Safari in 2007. At Pwn2Own in 2008, it took him just two minutes to defeat a MacBook Air's security, and used a Safari exploit to crack a MacBook in less than 10 seconds in 2009. Last year, he also used an SMS vulnerability to pwn an iPhone.

A report by Andy Greenberg the Forbes Firewall blog notes that of the 30 previously unknown security holes Miller found in Mac OS X, 20 of them are in the Preview application. By tricking a user into opening a PDF that contains Miller's exploit, a hacker could gain control of their Mac. Moreover, since Safari uses Preview's rendering engine to display PDFs in the browser, the code could be hidden on any web page.

Miller told Forbes that he used "dumb fuzzing" to find the holes: a Python script just five lines long changed one bit on a PDF file at a time and let the application run it, checking to see if it crashed. He used this brute force method for three weeks straight on each of four applications and says he found a thousand different ways to crash them. He then investigated the crashes to see if any of them allowed him to gain control of the system. There were 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice.

Miller said that he was surprised he found so many bugs, and took it as a clear indication that Apple being lax in doing its own security testing, “It’s shocking that Apple didn’t do this first," the researcher told Forbes. "The only skill I’ve used here is patience.” He indicated that he hasn't informed Apple of his discoveries and may try to use them against Mobile Safari on the iPhone for this year's Pwn2Own competition. If that works, he says, he'll see if they work on the iPad as well.

"Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," Miller says. "I shouldn't be able to find bugs like these, ever."

[rickybobby]

wow this is some serious stuff huh well what are they gonna do about it

[frozenra1n]

I vote charlie miller should jump on the jailbreak train.

[lolcats1]

it's no secret that their are holes in the OS. the thing is that viruses are written for pc's because there are more of them.

it's not because macs are just so godly that they're immune

[Jgamble317]

I vote charlie miller should jump on the jailbreak train.

Agreed, imagine what would be accomplished

[lolcats1]

Agreed, imagine what would be accomplished

nothing. he just found ways to make viruses for macs. not modifying the OS

[hxclos]

I want that man's knowledge. I feel dumb haha

[rickybobby]

i wonder whats the percentile of people who have macs verses pc

[Tizocman]

i wonder whats the percentile of people who have macs verses pc

in December of 09 the mac market share was about 5.11%. and Windows was about 92.21
thats about 1 mac to every 18 windows

[rhekt]

macs are as vulnerable as you let them

[haywetness]

hii

[steve-z17]

I for one am glad that more people prefer Windows over Mac. More viruses written for Windows is totally fine with me! This guy is really smart, wish I knew how to do some of that stuff.

[PhrequenC]

he just really knows his stuff. he probably knows every code known to mankind. and he's a professional on top of it. practice + patience is all it takes!

i too am glad many poeple own windoze over mac, it makes me feel special because when poeple come to my house, they dont want to use my computer becuase "they dont know how"

[yomamashump]

i too am glad many poeple own windoze over mac, it makes me feel special because when poeple come to my house, they dont want to use my computer becuase "they dont know how"

It doesn't take much for you to feel special does it?

[hackint0uch]

he just really knows his stuff. he probably knows every code known to mankind. and he's a professional on top of it. practice + patience is all it takes!

i too am glad many poeple own windoze over mac, it makes me feel special because when poeple come to my house, they dont want to use my computer becuase "they dont know how"

I agree, It's quite funny. Because I always say macs are great they pick up on small flays and then say macs are bad. Very funny. Like "Look your CPU has gone full, macs are bad", I'm sure thats never happened to them (sarcastically). And "My netbook is better than your MacBook" I'm sure it's a lot faster with it's 1.6GHz CPU and a tiny screen and two or three apps open at a time. Also the "It's much easier in Windows" comments are sooo funny.

[zixara]

Internet security researcher Charlie MIller will release the results of research he's done to uncover 30 security holes in Mac OS X to the CanSecWest security conference in Vancouver later this month. According to a report by Forbes, the guy who won a MacBook Air at Pwn2Own the past two straight years is not sure whether he will tell Apple what the flaws are: he says he might hold on to them for this year's challenge.

Miller worked for five years at the US National Security Agency as a "global network explaoitation analyst," finding weaknesses and vulnerabilities in computer networks for the US government spies, reportedly carrying out multiple hacks against foreign targets. As a private citizen, he started Independent Security Evaluators, a consulting firm, showing service providers how to harden their Web code against attack. Miller has been very public in his focus on the vulnerabilities of Apple software, being the first to discover a security hole in Mobile Safari in 2007. At Pwn2Own in 2008, it took him just two minutes to defeat a MacBook Air's security, and used a Safari exploit to crack a MacBook in less than 10 seconds in 2009. Last year, he also used an SMS vulnerability to pwn an iPhone.

A report by Andy Greenberg the Forbes Firewall blog notes that of the 30 previously unknown security holes Miller found in Mac OS X, 20 of them are in the Preview application. By tricking a user into opening a PDF that contains Miller's exploit, a hacker could gain control of their Mac. Moreover, since Safari uses Preview's rendering engine to display PDFs in the browser, the code could be hidden on any web page.

Miller told Forbes that he used "dumb fuzzing" to find the holes: a Python script just five lines long changed one bit on a PDF file at a time and let the application run it, checking to see if it crashed. He used this brute force method for three weeks straight on each of four applications and says he found a thousand different ways to crash them. He then investigated the crashes to see if any of them allowed him to gain control of the system. There were 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice.

Miller said that he was surprised he found so many bugs, and took it as a clear indication that Apple being lax in doing its own security testing, “It’s shocking that Apple didn’t do this first," the researcher told Forbes. "The only skill I’ve used here is patience.” He indicated that he hasn't informed Apple of his discoveries and may try to use them against Mobile Safari on the iPhone for this year's Pwn2Own competition. If that works, he says, he'll see if they work on the iPad as well.

"Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," Miller says. "I shouldn't be able to find bugs like these, ever."

Like, great article!

[CaptainChaos]

So he can crash apps. Nice. If this wins the contest for him that will be sad.

[PacoBell]

So he can crash apps

...and "gain control of the system." Seriously, learn to read! Ever heard of privilege escalation? I thought not.