Thursday, March 25, 2010

Miller Snubs Apple and MS Says 'Find Your Own Bugs'

Following his feats at Pwn2Own security researcher Charlie Miller gave the snub to software giants Apple, Microsoft and Adobe when he refused to provide the companies with the more than 20 vulnerabilities he has found in their software.

When Miller took the floor at CanSecWest many believed that his intent was to fully disclose the vulnerabilities he found, however that was never his intention. He instead demonstrated how he found the vulnerabilities, hoping that Apple, Microsoft and other vendors would listen to what he has to say.

Using a "dumb fuzzer", which is basically just a few lines of code that search for flaws in software by inserting data to see where the program fails, Miller quickly uncovered 20 vulnerabilities ranging across several different applications including; Apple's Mac OS X 10.6, aka Snow Leopard, and its Safari browser; Microsoft's PowerPoint presentation maker; Adobe's popular PDF viewer, Reader; and in, the open-source productivity suite.

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

"We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, the software gets incrementally better, but they actually need to make big improvements. But I can't make them do that."

Miller's hope is that vendors like Microsoft, Apple and Adobe, which spend millions of dollars and have teams of security engineers and scores of machines running fuzzers looking for flaws, will sep up and learn from something that one researcher with three computers has done in a short time. If the companies will duplicate his work, and maybe, just maybe, be motivated to do more of their own research prior to releasing the software they can learn to find these flaws before the release rather than taking findings from researchers after the fact and creating a reactionary fix. 

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you