funsec mailing list archives
Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
From: Joel Esler <joel.esler () me com>
Date: Sat, 27 Mar 2010 08:30:00 -0400
Good point. On a positive note, one of the reasons they rewrote Quicktime was to get rid of this stuff. The new quicktime is much less susceptible (allegedly) to the nonsense that the Quicktime < 10's were. J On Mar 27, 2010, at 8:27 AM, Larry Seltzer wrote:
Yeah, I did point out that Apple does do this work. I think Dino Dai Zovi (Charlie's co-author on their book) noted that. Obviously if Charlie can find 20 critical bugs in OS X just by fuzzing for 3 weeks on a few computers then Apple's not doing enough. Perhaps the problem is that they're *only* looking at the source code. LJS -----Original Message----- From: Joel Esler [mailto:joel.esler () me com] Sent: Saturday, March 27, 2010 8:20 AM To: Larry Seltzer Cc: Juha-Matti Laurio; funsec () linuxbox org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Apple does too. Ever read the security vulnerabilities for the "Credit" line? Look how many say "Apple". A bunch. Perhaps they just aren't looking the same places as Charlie. That's all. You know, they only have access to the multiple millions lines of code they maintain for all their products... J On Mar 27, 2010, at 7:58 AM, Larry Seltzer wrote:I wrote about this myself a little while ago:http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vulner.php Microsoft puts a lot of effort into security research for productsunderdevelopment. But once the product ships they stop looking. AlexSotirovpointed out that Microsoft's customers, by paying iDefense and TippingPoint and the like, end up paying for research Microsoft should be doing. Perhaps Microsoft is also a customer of these companies, I don't know. LJS -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Juha-Matti Laurio Sent: Saturday, March 27, 2010 7:24 AM To: funsec () linuxbox org Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugshttp://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Apple_Microsoft_to_find_their_own_bugs "The only researcher to "three-peat" at the Pwn2Own hacking contestsaidtoday that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves. Miller, who yesterday exploited Safari on a MacBook Pro notebookrunningSnow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. "We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product." Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.-- Joel Esler http://blog.joelesler.net
-- Joel Esler http://blog.joelesler.net _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Juha-Matti Laurio (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Joel Esler (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Joel Esler (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Charles Miller (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Joel Esler (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Joel Esler (Mar 27)
- Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Larry Seltzer (Mar 27)