Posts
Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader
By Gregg Keizer, Computerworld, March 25, 2010
The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. "We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that."
Using just a few lines of code, Miller crafted what he called a "dumb fuzzer," a tool that automatically searches for flaws in software by inserting data to see where the program fails. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release the software. Microsoft, for example, has long touted, and used, fuzzing as part of its Security Development Lifecycle (SDL), the term for its in-house process of baking security into products as they're created.
Miller's fuzzer quickly uncovered 20 vulnerabilities across a range of applications as well vulnerabilities in Apple's Mac OS X 10.6, aka Snow Leopard, and its Safari browser. He also found the flaws in Microsoft's PowerPoint presentation maker; in Adobe's popular PDF viewer, Reader; and in OpenOffice.org, the open-source productivity suite.
Today, Miller was to take the floor at CanSecWest, the Vancouver, British Columbia-based security conference that also hosts Pwn2Own, to demonstrate how he found the vulnerabilities. He hoped Apple, Microsoft and other vendors would listen to what he has to say.
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.
What really disappointed Miller was how easy it was to find these bugs. "Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."
He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing." And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago.
One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."
By refusing to hand over technical information about the vulnerabilities he uncovered, Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better. "I think they'll feel some pressure to find these bugs," he said.
Miller used one of the flaws he found by dumb fuzzing yesterday to exploit Safari on a MacBook Pro, walking off with the notebook, $10,000 and a free trip to Las Vegas this summer to the DefCon hacking conference.
Miller also won cash prizes at Pwn2Own in 2008 and 2009, each time by exploiting a Safari vulnerability on the Mac.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@ix.netcom.com.
Read more about security in Computerworld's Security Knowledge Center.
Friday, March 26, 2010
Pwn2Own winner tells Apple, Microsoft to find their own bugs
News Corp to charge for UK Times online from June
Reuters, March 26, 2010
LONDON - News Corp (NWSA.O) will charge readers for online versions of its UK Times and Sunday Times newspapers from June, becoming the first media firm to test consumers' appetite to pay for mass-market news online.
Access to two new websites for the two titles will cost 1 pound ($1.49) per day or 2 pounds for a week. Subscribers to the print versions will get free access, News Corp said on Friday.
"This is just the start," said Rebekah Brooks, chief executive of News Corp's British newspaper unit News International which also publishes the Sun daily tabloid and sister paper The News of the World on Sundays.
"At a defining moment for journalism, this is a crucial step towards making the business of news an economically exciting proposition," she said in a statement.
Newspapers in Western Europe and the United States have been battered by the recession while fighting a structural shift in their business from paid-for newspapers to largely free news on the Web.
Two business newspapers -- the Financial Times (PSON.L) and News Corp's Wall Street Journal -- charge readers for online access but consumer publications have so far not followed, fearing a massive loss of readers.
News Corp chief executive Rupert Murdoch has become a kind of champion of paid-for online news, saying Internet giant Google (GOOG.O) has deprived the industry of revenue by making news articles searchable for free.
In January, The New York Times (NYT.N) said it would start charging readers for access to online articles from next year, acknowledging that advertising revenues were unlikely to be able to fund its journalism in the future.
The editors of the Times and Sunday Times promised interactive features to get readers more involved, personalised news feeds, and coming versions for phones, e-readers, tablet computers and other mobile devices.
The Times and the Sunday Times will launch new, separate websites in early May, which will be free to registered customers for a trial period.
The print version of the Times costs 1 pound on weekdays and 1.50 pounds on Saturdays, and the Sunday Times costs 2 pounds. (Reporting by Georgina Prodhan) ($1 = 0.6702 pound)
Microsoft Integrates Foursquare Into Bing Maps; Turns Attention To Signals
By Laurie Sullivan, MediaPost Publications, March 26, 2010
Microsoft plans to deliver new tools in Bing Maps powered by mobile location service Foursquare. The Redmond, Wash. company's Silverlight technology will pull in the data.
Bing has begun to pay more attention to real-time, social and location-based data signals that can provide depth to search queries that serve up tips, comments and other information.
Enhanced location-based services and a variety of other features will become available during the next few months, as Microsoft continues to invest more in its mapping platform. Not just information from "maps" that show location, but a "canvas where you can visualize search data," Adam Sohn, Bing director for the Online Services Division, told MediaPost Thursday. "The concept is related to the notion that there's real data and information behind each search that often gets disaggregated from its physical context."
People searching for information on Bing will finally begin to see the fruits of labor from separate deals inked with Facebook and Twitter last year to deliver real-time data.
The ability to deliver real-time information based on a variety of signals means giving people who search for a particular news source, such as The New York Times, access to connect not only to the main site but to links of the most popular trending stories based on information shared across the Web. Sohn says it's a new way to generate traffic from the search engine to the publisher's site.
Microsoft also plans to enhance Quick Tabs on Bing, moving the tabs from the left rail to the top of the page. The feature aims to deliver results based on what the search engine believes represents the intent of the person searching on the query. The change also represents a new look for the user interface and hopefully a more intuitive way to search.
Bing's focus on "curating content," rather than "cataloging Web sites," supports Forrester Research Principal Analyst Shar VanBoskirk's vision for the future of search. "Think about a search engine as a concierge pointing you to answers you need, instead of presenting lists of sites that have content that matches your query," she says.
VanBoskirk points to the side and the top navigation capabilities. The features allow users to drill into categories of content related to their search without having to do a subsequent search, or click through to pages to see if the content matches their needs.
"I think the other enhancement that really illustrates this shift is the creation of comparison answers and domain task pages," VanBoskirk says. "These are literally aggregations of content, links, images, video specifically to answer the most commonly search goals associated with different topics. Instead of having to scout through multiple pages, content sources, using multiple queries, Bing curates all of what they think the searcher is after into one page."
Thursday marked the beginning of Bing's spring release. Microsoft will experiment, test and roll out these features during the next several months.