Posted by: David Harley | March 27, 2010

Apple, Microsoft, Adobe and Entomology: the Miller’s Tale

This is starting to look like a Charlie Miller information site, but I can’t resist commenting on an article by Gregg Keizer on the Computer World site, in which he says:

The only researcher to “three-peat” at the Pwn2Own hacking contest said today that security is such a “broken record” that he won’t hand over 20 vulnerabilities he’s found in Apple’s, Adobe’s and Microsoft’s software.

Miller is quoted as saying:

 “We find a bug, they patch it. We find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

Well, he has a point. It would be reassuring if major vendors with large research teams and resources found more of such bugs than they seem to. However, another common (and related) theme in vulnerability research is that vendors benefit from the work of independent researchers without payment and, in some cases, acknowledgement. While there’s something that makes me uneasy about bounty hunting,

In fact, though, as Larry Seltzer pointed out in an article a few months ago, it’s not so simple. It may well be , as Dino Dai Zovi suggests, that Apple is doing more than the other heavy hitters to do significant vulnerability research on product that has already shipped. But the fact remains that one researcher with three machines and a five line Python script found significant flaws in a product shipped by a vendor that prides itself on not having a security problem.

Tip of the hat to Juha-Matti Laurio, Larry Seltzer et al. for on-list discussion of this topic…

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 36 other followers

%d bloggers like this: