This is starting to look like a Charlie Miller information site, but I can’t resist commenting on an article by Gregg Keizer on the Computer World site, in which he says:
The only researcher to “three-peat” at the Pwn2Own hacking contest said today that security is such a “broken record” that he won’t hand over 20 vulnerabilities he’s found in Apple’s, Adobe’s and Microsoft’s software.
Miller is quoted as saying:
”We find a bug, they patch it. We find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”
Well, he has a point. It would be reassuring if major vendors with large research teams and resources found more of such bugs than they seem to. However, another common (and related) theme in vulnerability research is that vendors benefit from the work of independent researchers without payment and, in some cases, acknowledgement. While there’s something that makes me uneasy about bounty hunting,
In fact, though, as Larry Seltzer pointed out in an article a few months ago, it’s not so simple. It may well be , as Dino Dai Zovi suggests, that Apple is doing more than the other heavy hitters to do significant vulnerability research on product that has already shipped. But the fact remains that one researcher with three machines and a five line Python script found significant flaws in a product shipped by a vendor that prides itself on not having a security problem.
Tip of the hat to Juha-Matti Laurio, Larry Seltzer et al. for on-list discussion of this topic…
David Harley FBCS CITP CISSP
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence