--------------------------------------------------------------------------------
TOP STORY

Security competition reveals new browser flaws

By Tracey Capen

CanSecWest 2010's hacker competition results in public defeat for Apple's iPhone and three of the leading Internet browsers.

Apple, Microsoft, and other vendors are certain to release patches in the next few months for these holes, but what's a user to do in the meantime?

Security conferences offer forums for top security specialists to share the latest malware threats and defenses. But CanSecWest's (Canadian Security West) most-popular event is Pwn2Own, a competition for white-hat hackers. The winner is the first contestant to defeat a browser's defenses and take over a personal computer. This year's Pwn2Own included smart phones for the first time.

The most-interesting revelations at this beat-the-browser match were the contestants' ability to circumvent Microsoft's Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP) security controls and their success in hacking Apple's immensely popular iPhone.

Ironically, the competition has another aspect pre-eminent with malware authors — money. In addition to bragging rights, winning this year's Pwn2Own included $100,000 in prize money put up by security company TippingPoint.

Prize money played a significant role in explaining why Apple's Safari, Mozilla's Foxfire, and Microsoft's Internet Explorer were the first browsers cracked — long before anyone even attempted Google's Chrome. With $10,000 at stake for each browser taken down, the contestants went after the browsers they knew best and could defeat the fastest. Noted security specialist Charlie Miller, for example, has won prize money three years in a row — all at Safari's expense.

Miller's win this year was somewhat controversial. TippingPoint and other companies sponsor the Pwn2Own competition for the knowledge contestants reveal when breaking the browsers.

But, as noted in a Computerworld article, Miller declares that he will not give any security company specific details on the 20 flaws he found — not only in Apple's product, but in Adobe Reader and Microsoft Office as well. He states, however, that he's willing to show the vendors how to find the flaws on their own.

Bottom line: Though this competition includes some of the world's leading malware experts, it does not answer the average PC user's one all-important question: which browser is most resistant to attack?

Google's Chrome the 'winning' browser

For the second year in a row, Google's Chrome was the only browser not hacked — not because it was unbreakable, but because the other browsers were easier targets. Compared to IE, Firefox, and Safari, Chrome is a new browser. As noted above, the contestants have far more time invested in researching (and breaking) security flaws in Safari, Firefox, and — especially — IE. As ZDNet's Garett Rogers put it in a March 28 post:

•"These results don't mean that Google is 100% secure — but it does mean that Google simply isn't the lowest hanging fruit. Market share isn't the reason researchers weren't focusing on Google products this year, because prize amounts didn't depend on it — it just happens to be much easier to hack the competition."

What applies to these security experts may also apply to malware authors.

That said, Chrome is getting respect for its seemingly more-secure design. A Techie Buzz story offers a brief description of how Chrome uses sandboxes to resist malware attacks. A programming technique, sandboxes keep potentially harmful software isolated from safe apps — much like putting someone who may have a contagious disease in quarantine. The story goes on to say that IE also uses sandboxes, but with obviously less success.

The upshot: Use Firefox for day-to-day Internet work on sites you know are safe. Typically, it's a smaller target for malware attacks than is IE, and I prefer its interface to Chrome's. Use Chrome when surfing to sites you're unsure of. When installing Chrome, just remember to uncheck the box that makes it your default browser.

IE 8 gets new breach — and a new patch

The most-worrisome security flaw revealed by the Pwn2Own contest was the Internet Explorer 8 hack. Dutch researcher Peter Vreugdenhil won $10,000 by circumventing Windows 7's two best anti-malware controls, Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP).

An independent security expert, Vreugdenhil immediately published a paper, available on his Web site, describing in general terms how he did it. (He states he will not publicly reveal the exact exploits used.) He was able to take over a fully up-to-date Windows 7 system in two steps. First, he managed to evade ASLR and get the memory address of a Windows 7 .dll file. Next, he disabled DEP by using a previously known exploit.

Circumventing DEP is especially troubling: Microsoft relies heavily on DEP to keep out new malware that's unknown to antivirus applications — so-called zero-day attacks.

A March 30 Microsoft Security Response Center bulletin announced the unscheduled release of an Internet Explorer update. According to the bulletin, this release was not related to the IE 8 vulnerability revealed at CanSecWest (which Microsoft is still investigating) but is a cumulative security patch for all versions of Internet Explorer.

Security Bulletin MS10-018 (980182) is marked critical, addresses 10 Internet Explorer security flaws, and should be installed as soon as possible. For more on this and a large Apple patch release, see contributing editor Susan Bradley's Patch Watch column in today's paid content.

Safari may be the most-vulnerable browser

The first browser to fall in the CanSecWest competition was Safari, mostly due to Charlie Miller's expertise in Apple code. There's been a long and loud debate about why hacking is such a problem on Windows yet relatively unheard of on the Mac.

Given the huge commercial nature of today's malware attacks, the answer is not that Macs are more secure (they're not, according to almost every security expert) or that hackers have it out for that evil empire called Microsoft. The answer most likely comes down to money. Mac's approximately 8% market share simply does not offer sufficient monetary return on a hacker's time investment. Mac users are just plain lucky.

For an interesting and somewhat worrisome article on Mac malware, read Andy Greenberg's March 25 article, "The bounty for an Apple bug: $115,000."

Smartphones make a new and tempting target

Possibly the most talked-about event at Pwn2Own was Vincenzo Iozzo and Ralf Weinmann's $15,000 prize for hacking Safari in a fully up-to-date iPhone. This is the first time the iPhone 2.0 operating system has been so openly compromised.

If market share defines the likelihood of a malware attack, what does that portend for the iPhone? A recent report by AdMob, a Google company, states that iPhones make up 50% of the smartphone Internet traffic on AdMob's network. (According to a Gartner study, iPhones made up only 14.4% of worldwide smartphone sales in 2009.) Such a high level of Internet activity from one brand of smartphone should make a tempting target for malware attacks.

The CanSecWest competition has now proved that the Safari browser on iPhones is vulnerable. Safari is currently the only browser allowed on that device.

What happens when your phone is stolen or lost? A good hacker can probably get past both the phone password and any add-on data encryption apps you may have installed. That said, an article in Appletell, "Apps to help keep your iPhone data secure," lists a few you might consider.

French team finds a security flaw in network cards

Public disclosure is an important aspect of security conferences. Security threats known only to an elite group of hackers or security specialists (or both) are brought out into the open. At CanSecWest, one of the less-known security holes — the common network interface card — was revealed.

A story in Malware Diaries describes how two Frenchmen, Loic Duflot and Yves-Alexis Perez, proved that a hacker can execute code on a network card and then take over a PC. That's scary, because network cards, your link to the Internet, communicate with PCs at a low level, where most anti-malware applications never look.

This security threat is completely independent of what operating system you use. It doesn't even require that your PC be powered on. The malicious code uses network-card functions that are normally turned off. When you turn on your PC, those newly enabled functions act as the hacker's doorway into your system.

Note that the point of this demonstration is not to make PC users worry about an immediate threat but rather to give security experts another avenue of attack for consideration. In other words, don't rip out your network interface card and go looking for a more-secure one. You won't find it.

The best policy is to treat your network card as you do your applications. Sign up for update notifications from the network card vendor, and add patches as they come out. Broadcom boards, for example, notoriously need updates (download page) — and not just for security reasons.

The good news is, there are so many easier ways to hack a PC that in-the-wild network card attacks are unlikely.

Contributing editor Susan Bradley contributed to this story