That was pretty much what two-time Pwn2Own winner Charlie Miller had to say in an interview with OneITSecurity. What does this mean for computer security, and is there anything that the average user can do to keep himself or herself safe when online?
Read on to find out more…
For the benefit of those who may not be aware, Pwn2Own is an annual competition held during the CanSecWest Security Conference, in which various operating systems and web browsers are placed at the mercy of skilled hackers who will then attempt to exploit any underlying vulnerabilities in the respective systems.
Needless to say, there will be another Pwn2Own competition this year, and is slated to take place on 24 March , 2010, and in an interview with OneITSecurity, reigning champion Charlie Miller has got quite a few words to say about the state of security on the various platforms, some of which are rather disconcerting, to say the least.
First off the list is age old war about the ease of hacking into a Snow Leopard or Windows 7 machine, and Miller doesn’t mince his words:
“Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default).”
And if you thought that using an alternative operating system like Linux means that you’re automatically protected by some virtual force field, you might want to keep that confidence of yours in check:
“No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. The organizers don’t choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.”
For some reason, he doesn’t go into other alternative operating systems like the *BSD or Unix-based variants, but we figured that it’s probably due to their rather small share in the desktop OS market.
Now that we’ve heard enough bad news, what is the safest browser to use when online? Be prepared for a surprise coming your way:
“[The safest browser is] Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!”
Now, it’s probably well known that Flash does suffer from various bugs and security flaws, but Miller will undoubtedly raise more than a few eyebrows when making the claim that Internet Explorer 8 is one of the much safer browsers to use when surfing the net.
Then again, there’s no denying that IE8 is an improvement over its predecessor, and that the presence of UAC automatically places IE in a sandbox which it calls ‘Protected Mode’, so it’s highly possible that this was the combination Miller was referring to in his claims.
And there you have it: the very words from the reigning winner of the Pwn2Own competition. And if you’d like to read the full interview (which we strongly recommend), please click on the link in the source.