May 29, 2012 - 10:54 AM EDT — AAPL: 573.06 (+10.77, +1.92%) | NASDAQ: 2877.12 (+39.59, +1.4%)

Dumb fuzzer to discuss 20 security issues in Apple’s PDF renderer (Preview, Safari)

Monday, March 22, 2010 · 2:40 pm · 39 Comments

“Later this month at the CanSecWest security conference in Vancouver, Charlie Miller plans to unveil research that he says has turned up 30 previously unknown critical security vulnerabilities in common software, 20 of which are in Apple’s Preview application,” Andy Greenberg reports for Forbes. “In other words, he says he’s found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF–or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page.”

“The 36-year old researcher used a technique known as ‘dumb fuzzing’ to perform a side-by-side comparison of four different software applications: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle’s OpenOffice,” Greenberg reports. “He wrote a simple Python script–just five lines of code–that randomly changes one bit of a PDF or PowerPoint file, plugs the file into the target application to see if it crashes, and then changes another bit, repeatedly tweaking and testing.”

“After running his fuzzer program on the applications for 3 weeks each, Miller found nearly a thousand unique ways to make the programs crash, and combed through those data to find which of those bugs allowed him to take control of the program,” Greenberg reports. “The results don’t look good for Apple: 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice… Even so, Miller doesn’t confine his criticism to Apple. ‘Microsoft, Apple, and Adobe all have huge security teams, and I’m one guy working out of my house,’ he says. ‘I shouldn’t be able to find bugs like these, ever.’”

“Miller hasn’t yet informed Apple about his new haul of bugs and he says he hasn’t decided yet what to do with them. He may see try to determine which of the flaws would work in iPhone’s version of Safari, and keep one or two in reserve for the Pwn2Own competition, along with ammunition to hack the iPad when it launches next month,” Greenberg reports. “He’s also considering keeping the details of his bugs secret and watching to see how long it takes the software vendors to patch them after his Vancouver talk. While that would leave users vulnerable to the secret vulnerabilities he’s found, Miller says it could also help reveal more about just what software companies are doing–or not doing–to patch their products’ flaws.”

Full article here.

MacDailyNews Take: This the annual “Much Ado About Nothing/Let’s Blow This Totally Out of Proportion” festival. Microsoft apologists love it. Of course, they also think a firecracker equals an atom bomb. Expect Apple to update before any real users are affected, as usual. Still, would it kill Apple to hire a fuzzer right out of college to find these things first, get them corrected, and make Mr. Miller’s “job” more difficult?

Categories: All Sites, News

Thank You for supporting MacDailyNews!

♥ Adobe Photoshop CS6 Extended for Mac - Student and Teacher Edition DVD (65171323) only $249!
♥ Blowout: Apple 15.4" MacBook Pro i7/4Core/2.0GHz/4GB/500GB (MC721LL/A) only $1,549.99 + Free Shipping from MacMall
♥ Mac Madness Save 25% on Parallels Desktop 7!
♥ 15% Off Compatible Ink. 10% Off All Others (excludes OEMs). Free Shipping over $55. Coupon: 123BLOSSOM, Expires 6.18.12
♥ Save up to 60% at the Hammacher Schlemmer Special Values Sale-While supplies last.
♥ Dragon Dictate for Mac 2.5 - New! Simply Smarter Speech Recognition
♥ Up to 30% OFF Accessories from Verizon Wireless
♥ Limited Time Offer: Get free ZAGGsmartbuds when you buy a ZAGGsparq!

Comment Feed

39 Comments

1 2 Next »

KenC

Monday, March 22, 2010 - 2:45 pm · Reply

So, the root of the problem is in Adobe’s PDF, which makes apps like Preview and Safari which can open Adobe’s PDFs, vulnerable too?
HMCIV

Monday, March 22, 2010 - 2:47 pm · Reply

I’ve never uttered a more explosive yawn before in my life.
NCG598

Monday, March 22, 2010 - 2:50 pm · Reply

They should be able to find a “fuzzer” in California with ease.

Of course, we have many catergories of “fuzzers.”
Truth

Monday, March 22, 2010 - 2:50 pm · Reply

I hope Steve sends some jack booted thugs to encourage him to share. Companies mistakes or not, his MORAL obligation is to provide the companies details of the exploits, not to hold them and “see what happens” and to exploit them for financial gain.

IMO he is no better than the scum who would use these to do harm, in doing nothing he is harming..What a tool..
Dirty Pierre le Punk

Monday, March 22, 2010 - 2:54 pm · Reply

It’d be better if they hired a fluffer.
Arnold Ziffel

Monday, March 22, 2010 - 2:59 pm · Reply

So, Barney Fife is taking his one bullet out of his pocket and loading his pistol to show how big and bad he is.

Big whoop.
Tim Flint

Monday, March 22, 2010 - 3:03 pm · Reply

He “says” . . . .
cwa107

Monday, March 22, 2010 - 3:05 pm · Reply

No program is invulnerable to hacking, period. More resilient? Sure. But nothing made by human beings is without fault.

Charlie Miller just happens to have a hard-on for Macs and Apple in general as is evidenced by his numerous quotes and interviews whenever the press wants to drum up another hit-whoring piece about Apple’s “growing” malware threat.

With that said, the press should give no credence to a black hat like Charlie Miller – and yes, he is a black hat unless his motivation is to actually help cure the problem, rather than hold the exploits in reserve as a bounty.
ecrabb

Monday, March 22, 2010 - 3:09 pm · Reply

MDN’s take is right-on with both counts… This isn’t nearly the big deal that some make it, but Apple needs to put security on the front burner big-time.

Apple could hire a small team of these guys, give them a nice base salary, but give them nice bonuses inversely proportional to the number of vulnerabilities people like this Charlie Miller come up with. Beat the hackers at their own game!

That some guy all by himself can find vulnerabilities that Apple engineers don’t know about (or isn’t concerned with) is absurd. Apple should be BETTER than Microsoft or Adobe – not worse.
elgarak

Monday, March 22, 2010 - 3:10 pm · Reply

One question I have, what can he do after he hacked the machine like that? The latest regulations for the competition he won were just reading a file on the targeted machine’s desktop. Big deal. So he can read my files (I keep a great deal of information off my computer, do not safe my SSN or tax return forms in my usual user account, for instance), or can check my browsing history (my ISP and Google already know that). What else can he do?

Install a botnet? I doubt that — it seems he gets access to my user account, but not my admin account (which I keep separate for this very reason, but even if you do use the admin account, one cannot install much. One needs to provide the admin password on the target machine).

As long as he cannot install malware this way, it doesn’t matter in how many ways he can gain access — in my experience, most malware writers are not interested in breaking into individual machines very much. For them, that’s just a means to a goal, which is to zombify and remote control the machine for an extended period later on.
acid

Monday, March 22, 2010 - 3:12 pm · Reply

And PDF is also the culprit in hacking Google out of China. Thanks, Adobe! Needing to break out of the browser security sandbox and execute system code just to view a dumb document? PDF – the 2nd thing that needs to go away next to Flash. I thought XML/XSLT supposed to eliminate all that, isn’t it, Mr. Google-Is-Good-Apple-Is-Evil Tim Bray?
x

Monday, March 22, 2010 - 3:14 pm · Reply

No one takes this publicity stunt fsck seriously. There are no viruses for Mac. Get a life, asswipe.
chabig

Monday, March 22, 2010 - 3:15 pm · Reply

I don’t understand how causing a program to crash can allow someone to take control of an entire
machine–each app runs in a protected memory space.
Fuzzy logic

Monday, March 22, 2010 - 3:17 pm · Reply

fuzzer is not a person. It is a tool. I must say they guy did a great job. Fuzzing for 3 weeks per app is extraordinary. I don’t think there is any company doing it for that long. The PDF vulnerability is especially painful in Mac OS X because it happens on system level and therefore it is more severely exploitable and affects not just “Preview.app” but any app that displays PDFs.

MW: “gone” as in… “my confidence in displaying PDFs in Safari…”
Fact Checker

Monday, March 22, 2010 - 3:20 pm · Reply

Oddly, just last week, I was wondering how secure Preview was. If Adobe reader and Acrobat are having so many problems with pdf’s, why not Preview.

Is Apple ahead of Adobe on this, I wondered. As much as Apple’s criticism of Flash is on the mark, I figured it would be ironic if they weren’t on top of the pdf problem. (Sure Adobe created the pdf but Mac people actually use it and we want it to work safely.)
PDF

Monday, March 22, 2010 - 3:25 pm · Reply

PDF is deeply ingrained in the Mac OS, if you doubt me go over to the Apple Developer site and read up on the use of PDF in the Mac OS.
This is a serious hole if exploited.

I am no alarmist, but Apple needs to do better on security. The number one gripe of many IT people open to Macs in the enterprise is their secrecy, silence and relative slowness to patch vulnerabilities.
Rather than bitch about IT, think of it as a cost of doing business in the enterprise on a broad scale. Apple has the people & money to make this issue go away. As a shareholder of over a decade, I think it’s way past time Apple gets more open and responsive about security.
Tetrachloride

Monday, March 22, 2010 - 3:32 pm · Reply

I agree that Apple is slow on the update with security issues.
WTFrank

Monday, March 22, 2010 - 3:33 pm · Reply

Unfortunately Apple has been brusk with those who find security holes. No one figures it’s worth the hassle to contact Apple directly.

If it was me, I’d hire these guys.
@WTFRank

Monday, March 22, 2010 - 3:36 pm · Reply

Its not you, and they wont be hired, and you a sheep fool just following and scarfing down all of their bullshit.

Get a life, fool.
Bruce

Monday, March 22, 2010 - 3:42 pm · Reply

OSX effected and Window not effected by security issue! Apple fans raise Job’s little red book and shout down the messenger of OSX security issues. This site is really something! I have not seen such union of opinion since Mao’s communist China!