“Later this month at the CanSecWest security conference in Vancouver, Charlie Miller plans to unveil research that he says has turned up 30 previously unknown critical security vulnerabilities in common software, 20 of which are in Apple’s Preview application,” Andy Greenberg reports for Forbes. “In other words, he says he’s found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF–or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page.”
“The 36-year old researcher used a technique known as ‘dumb fuzzing’ to perform a side-by-side comparison of four different software applications: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle’s OpenOffice,” Greenberg reports. “He wrote a simple Python script–just five lines of code–that randomly changes one bit of a PDF or PowerPoint file, plugs the file into the target application to see if it crashes, and then changes another bit, repeatedly tweaking and testing.”
“After running his fuzzer program on the applications for 3 weeks each, Miller found nearly a thousand unique ways to make the programs crash, and combed through those data to find which of those bugs allowed him to take control of the program,” Greenberg reports. “The results don’t look good for Apple: 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice… Even so, Miller doesn’t confine his criticism to Apple. ‘Microsoft, Apple, and Adobe all have huge security teams, and I’m one guy working out of my house,’ he says. ‘I shouldn’t be able to find bugs like these, ever.'”
“Miller hasn’t yet informed Apple about his new haul of bugs and he says he hasn’t decided yet what to do with them. He may see try to determine which of the flaws would work in iPhone’s version of Safari, and keep one or two in reserve for the Pwn2Own competition, along with ammunition to hack the iPad when it launches next month,” Greenberg reports. “He’s also considering keeping the details of his bugs secret and watching to see how long it takes the software vendors to patch them after his Vancouver talk. While that would leave users vulnerable to the secret vulnerabilities he’s found, Miller says it could also help reveal more about just what software companies are doing–or not doing–to patch their products’ flaws.”
Full article here.
MacDailyNews Take: This the annual “Much Ado About Nothing/Let’s Blow This Totally Out of Proportion” festival. Microsoft apologists love it. Of course, they also think a firecracker equals an atom bomb. Expect Apple to update before any real users are affected, as usual. Still, would it kill Apple to hire a fuzzer right out of college to find these things first, get them corrected, and make Mr. Miller’s “job” more difficult?
So, the root of the problem is in Adobe’s PDF, which makes apps like Preview and Safari which can open Adobe’s PDFs, vulnerable too?
I’ve never uttered a more explosive yawn before in my life.
They should be able to find a “fuzzer” in California with ease.
Of course, we have many catergories of “fuzzers.”
I hope Steve sends some jack booted thugs to encourage him to share. Companies mistakes or not, his MORAL obligation is to provide the companies details of the exploits, not to hold them and “see what happens” and to exploit them for financial gain.
IMO he is no better than the scum who would use these to do harm, in doing nothing he is harming..What a tool..
It’d be better if they hired a fluffer.
So, Barney Fife is taking his one bullet out of his pocket and loading his pistol to show how big and bad he is.
Big whoop.
He “says” . . . .
No program is invulnerable to hacking, period. More resilient? Sure. But nothing made by human beings is without fault.
Charlie Miller just happens to have a hard-on for Macs and Apple in general as is evidenced by his numerous quotes and interviews whenever the press wants to drum up another hit-whoring piece about Apple’s “growing” malware threat.
With that said, the press should give no credence to a black hat like Charlie Miller – and yes, he is a black hat unless his motivation is to actually help cure the problem, rather than hold the exploits in reserve as a bounty.
MDN’s take is right-on with both counts… This isn’t nearly the big deal that some make it, but Apple needs to put security on the front burner big-time.
Apple could hire a small team of these guys, give them a nice base salary, but give them nice bonuses inversely proportional to the number of vulnerabilities people like this Charlie Miller come up with. Beat the hackers at their own game!
That some guy all by himself can find vulnerabilities that Apple engineers don’t know about (or isn’t concerned with) is absurd. Apple should be BETTER than Microsoft or Adobe – not worse.
One question I have, what can he do after he hacked the machine like that? The latest regulations for the competition he won were just reading a file on the targeted machine’s desktop. Big deal. So he can read my files (I keep a great deal of information off my computer, do not safe my SSN or tax return forms in my usual user account, for instance), or can check my browsing history (my ISP and Google already know that). What else can he do?
Install a botnet? I doubt that — it seems he gets access to my user account, but not my admin account (which I keep separate for this very reason, but even if you do use the admin account, one cannot install much. One needs to provide the admin password on the target machine).
As long as he cannot install malware this way, it doesn’t matter in how many ways he can gain access — in my experience, most malware writers are not interested in breaking into individual machines very much. For them, that’s just a means to a goal, which is to zombify and remote control the machine for an extended period later on.
And PDF is also the culprit in hacking Google out of China. Thanks, Adobe! Needing to break out of the browser security sandbox and execute system code just to view a dumb document? PDF – the 2nd thing that needs to go away next to Flash. I thought XML/XSLT supposed to eliminate all that, isn’t it, Mr. Google-Is-Good-Apple-Is-Evil Tim Bray?
No one takes this publicity stunt fsck seriously. There are no viruses for Mac. Get a life, asswipe.
I don’t understand how causing a program to crash can allow someone to take control of an entire
machine–each app runs in a protected memory space.
fuzzer is not a person. It is a tool. I must say they guy did a great job. Fuzzing for 3 weeks per app is extraordinary. I don’t think there is any company doing it for that long. The PDF vulnerability is especially painful in Mac OS X because it happens on system level and therefore it is more severely exploitable and affects not just “Preview.app” but any app that displays PDFs.
MW: “gone” as in… “my confidence in displaying PDFs in Safari…”
Oddly, just last week, I was wondering how secure Preview was. If Adobe reader and Acrobat are having so many problems with pdf’s, why not Preview.
Is Apple ahead of Adobe on this, I wondered. As much as Apple’s criticism of Flash is on the mark, I figured it would be ironic if they weren’t on top of the pdf problem. (Sure Adobe created the pdf but Mac people actually use it and we want it to work safely.)
PDF is deeply ingrained in the Mac OS, if you doubt me go over to the Apple Developer site and read up on the use of PDF in the Mac OS.
This is a serious hole if exploited.
I am no alarmist, but Apple needs to do better on security. The number one gripe of many IT people open to Macs in the enterprise is their secrecy, silence and relative slowness to patch vulnerabilities.
Rather than bitch about IT, think of it as a cost of doing business in the enterprise on a broad scale. Apple has the people & money to make this issue go away. As a shareholder of over a decade, I think it’s way past time Apple gets more open and responsive about security.
I agree that Apple is slow on the update with security issues.
Unfortunately Apple has been brusk with those who find security holes. No one figures it’s worth the hassle to contact Apple directly.
If it was me, I’d hire these guys.
Its not you, and they wont be hired, and you a sheep fool just following and scarfing down all of their bullshit.
Get a life, fool.
OSX effected and Window not effected by security issue! Apple fans raise Job’s little red book and shout down the messenger of OSX security issues. This site is really something! I have not seen such union of opinion since Mao’s communist China!
@Arnold Ziffel
Be careful, your age is showing.
This is good. Perhaps Apple should add ‘dumb fuzzing’ to their testing before releasing an application. That should take care of this whole issue. Sounds easy to implement too.
There is a much cheaper way to take care of this problem.
I know a guy in Vancouver who can make it look like an accident, for $10,000 and Charlie Miller wouldn’t be a problem any more.
He’s right downtown and his storefront has a very discrete sign in the window.
HITMEN ‘R’ US
I’m a self-professed Apple fanboy and Microsoft hater, but the MDN take and others are way off the mark here.
The article says “find which of those bugs allowed him to take control of the program”. Not crash it. “Take control”. Writing an exploit from that point is fairly easy, even if you have to send someone the malicious file or web URL.
This is, in fact, a serious issue. Don’t forget that one of the biggest arguments next to memory/crashiness of Flash is the security problems. If Apple doesn’t have its own house in order, then its the pot calling the kettle black when they trash Flash on that basis.
It’s amazing that major software companies don’t have testing programs designed to do exactly what this fellow has done. That’s either hubris or stupidity.
Wake me when the first Mac virus arrives. zzzzzzzzzzzzzz