Reigning Pwn2Own champion: "The main thing is not to install Flash!"
Here are the highlights from Miller's interview:
He thinks Windows 7 will prove more secure than OS X Snow Leopard this year, in part because it doesn't have Java and Flash enabled by default. Windows' full ASLR (address space layout randomization) also gives it a security advantage.
When asked what he thought would make the safest OS and browser combo, he opted for Chrome or IE8 on Windows 7, with no Flash installed, although "there probably isn't enough difference between the browsers to get worked up about."
For my money, the juiciest quote from the interview was "The main thing is not to install Flash!"
On the mobile side, Miller guessed that the iPhone 3GS would be more easily exploitable than the Motorola Droid, mainly because the iPhone's been around longer, and has been subjected to more extensive security research.
You can check out Miller's full answers (in English or Italian!) at OneITSecurity.
Chromatic is one of the best time-wasters I've recently come across. It's all about the gameplay -- no Flash graphics here. You play a "circle" (it doesn't really have a name in the game). You move around with the arrow keys, and you change colors with Z, X, and C.
You can either be red, blue, or yellow, and you can switch at any time during the game. Each color has different capabilities -- yellow can double-jump, while red has a longer dash (which is like a forward sprint, activated by double-pressing DOWN).
Each ...
Reader Comments (Page 1 of 1)
KHaynes said 1:28PM on 3-02-2010
I just don't understand people. If flash is such a huge gateway to hacking any browser, first of all why are we just now hearing about it when flash has been ubiquitous for a decade now. In all of my years of working with the web and flash I've never heard this statement from anyone. Even with Steve Jobs recent comments, Safari still comes with Flash enabled and has for years just like most other browsers. More importantly, I think it's irresponsible for Mr. Miller to release this comment with out any explanation or discussion of what mechanisims in the flash player make it so hackable. I mean is it the flash player or is it poorly written flash applications? Is it any version of the flash player or only certain versions. I mean especially considering the fact that nothing is unhackable, it seems a professional would have expalined this comment a little more.
Reply
Al K said 3:59PM on 3-03-2010
Flash used to be much simpler, but now is a big piece of bloatware with it's own security model. And no, it isn't the Flash apps, exploits are against the Flash add-in.
KHaynes said 11:55PM on 3-03-2010
Actually it often is poor coding habits. Even basic research would show you this fact. Flash has never been simpler to use although it does remain beyond certain people's limited technical abilities, which causes some to have a unnatural, ill informed dislike or hatred of a piece of software. Also the 'bloatware' runs just fine in billions of browsers worldwide.
jerryshakalaka said 10:08PM on 3-25-2010
Pretty interesting, I kinda wonder why Chrome wasn't in there though, but this should at least shut up some firefox users.
Well anyway as lenia say, at least this hack is not as bad as this cellphone malware hack: http://bit.ly/creepy-cellphone-spyware-unleashed
KHaynes said 1:29PM on 3-02-2010
http://www.eweek.com/c/a/Security/Adobe-Flash-Security-on-Menu-at-Black-Hat-886244/
Reply
KHaynes said 1:34PM on 3-02-2010
http://blogs.zdnet.com/security/?p=2941
Reply
Fritz W said 1:07AM on 3-03-2010
Up until recently this hack worked quite well at crashing flash allowing further exploitation to take place.
http://flashcrash.dempsky.org/
Flash is crap. I say this having watched crash about 10 times today on 5 different browsers.
Reply
Josh Carlson said 12:06PM on 3-03-2010
Although he's won this contest twice, the fact that he would choose IE8 over firefox makes me suspicious of his Flash claims
Reply
Jeremy said 2:52PM on 3-03-2010
The question was related to security. Many surveys and tests have found IE8 to be more secure than FireFox (at least current versions).
Josh Carlson said 7:18PM on 3-03-2010
Yes, and many have shown Firefox to be more secure also. When it comes to zero-day exploits though, Microsoft doesn't have the best track record. with number of vulnerabilities found and time its taken them to come out with a patch.
spipasucci said 3:47PM on 3-03-2010
Read the article and I've gotta say, the title of this blog post is pretty misleading. The flash comment he makes is a very minimal part of all the questions he's asked... Seems to me less people would have trouble on the internet if they just took a few seconds to educate themselves on what not to click on and how to use basic protections that most every computer has...
Posts like this do nothing more than continue this ridiculous "flash-bashing" mentality that's been running rampant the past month or so...
Reply