blogs.zdnet.com,  Mar 23, 2009

At the CanSecWest security conference in Vancouver BC, hackers were invited to find and exploit holes in modern browsers. A popular target for hackers at this year’s conference was Safari on a Mac — definitely the lowest hanging fruit.

Charlie Miller explains that it’s not whether a product has holes (all of them do), its how easy it is to exploit those holes — and on a Mac, it’s very simple:

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

He did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their “sandbox” makes it extremely difficult to exploit — not only do you need to find a problem, but you also have to figure out how to get out of their Sandbox (an environment that has no access to anything on the computer).

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They've got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you're ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.

No hackers took on Chrome at the conference, simply because everything else was easier.