Pwn2Own hacker: Safari is ‘easy pickings’

Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:39:38


Charlie Miller (right), the security researcher who won last year’s Pwn2Own hacker contest, is predicting that Apple’s Safari browser will be the easiest target this year.

In a note posted on the popular Daily Dave mailing list, Miller describes Safari as “easy pickin’s” and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month.

Related Posts

Apple Patches Trident Vulnerabilities in OS X, Safari

September 2, 2016 , 10:00 am

Putting Apple Bug Bounty Rewards in Perspective

August 10, 2016 , 11:00 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

This year’s contest will pit hackers against browsers and smart phones with Internet Explorer, Firefox, Safari, Opera and Chrome among the high-profile targets. It will also include attacks against fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations.

Here are Miller’s predictions:

Safari: hacked by 4 different people. Easy pickin’s as usual.

Android: hacked by 1 person. Not too tough but no one owns one.

IE8, Firefox: Survive unscathed. The bugs to exploit equation is too hard for $5k.

iPhone, Symbian: Survive due to non-executable heap.

Blackberry, Windows Mobile, Chrome: I don’t know enough to say anything intelligent. That said, they’re probably hard/obscure and so survive.

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine. He is also known for launching successful attacks against Apple’s iPhone and Google’s Android platform.

TippingPoint ZDI has more information on the rules and targets for this year’s contest.