Over the past decade, Microsoft, the target of choice for many online attackers, has hardened its operating system, adopting technologies designed to make it harder for attackers to find and exploit vulnerabilities. Apple and many other software makers have followed suit, introducing similar additional security measures to their operating systems.
Yet last week, during the “Pwn2Own contest” at CanSecWest, a security conference in Vancouver, Canada, security researchers demonstrated that software makers need to do more to protect their programs. Using previously unknown vulnerabilities, the researchers were able to compromise Apple’s Safari, Microsoft’s Internet Explorer 8, and Mozilla’s Firefox Web browsers by circumventing the latest security technologies in place in the operating system underneath.
“These things make it hard–they really do,” says Charles Miller, a principal analyst at Independent Security Evaluators and the researcher who circumvented the security of Apple’s Safari browser and the Mac OS X Snow Leopard operating system underneath. “But, no matter what, a determined attacker can find a way in.”
The results of the Pwn2Own contest underscore a truism in security: Defenders must be right all the time, but attackers only have to be right once. “The exploits are really creative; that’s why they are tricky,” Aaron Portnoy, security research team lead for TippingPoint, the security firm that sponsors the Pwn2Own competition. Continue reading.