Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Redditor Shamed After Girl Finds His Request For Her 'Porn…
Reigning Pwn2Own champion: "The main thing is not to install Flash!"
Here are the highlights from Miller's interview:
He thinks Windows 7 will prove more secure than OS X Snow Leopard this year, in part because it doesn't have Java and Flash enabled by default. Windows' full ASLR (address space layout randomization) also gives it a security advantage.
When asked what he thought would make the safest OS and browser combo, he opted for Chrome or IE8 on Windows 7, with no Flash installed, although "there probably isn't enough difference between the browsers to get worked up about."
For my money, the juiciest quote from the interview was "The main thing is not to install Flash!"
On the mobile side, Miller guessed that the iPhone 3GS would be more easily exploitable than the Motorola Droid, mainly because the iPhone's been around longer, and has been subjected to more extensive security research.
You can check out Miller's full answers (in English or Italian!) at OneITSecurity.
Comments
11
Subscribe to commentsKHaynesMar 2nd 2010 1:28PM
I just don't understand people. If flash is such a huge gateway to hacking any browser, first of all why are we just now hearing about it when flash has been ubiquitous for a decade now. In all of my years of working with the web and flash I've never heard this statement from anyone. Even with Steve Jobs recent comments, Safari still comes with Flash enabled and has for years just like most other browsers. More importantly, I think it's irresponsible for Mr. Miller to release this comment with out any explanation or discussion of what mechanisims in the flash player make it so hackable. I mean is it the flash player or is it poorly written flash applications? Is it any version of the flash player or only certain versions. I mean especially considering the fact that nothing is unhackable, it seems a professional would have expalined this comment a little more.
Al KMar 3rd 2010 3:59PM
Flash used to be much simpler, but now is a big piece of bloatware with it's own security model. And no, it isn't the Flash apps, exploits are against the Flash add-in.
KHaynesMar 3rd 2010 11:55PM
Actually it often is poor coding habits. Even basic research would show you this fact. Flash has never been simpler to use although it does remain beyond certain people's limited technical abilities, which causes some to have a unnatural, ill informed dislike or hatred of a piece of software. Also the 'bloatware' runs just fine in billions of browsers worldwide.
jerryshakalakaMar 25th 2010 10:08PM
Pretty interesting, I kinda wonder why Chrome wasn't in there though, but this should at least shut up some firefox users.
Well anyway as lenia say, at least this hack is not as bad as this cellphone malware hack: http://bit.ly/creepy-cellphone-spyware-unleashed
KHaynesMar 2nd 2010 1:29PM
http://www.eweek.com/c/a/Security/Adobe-Flash-Security-on-Menu-at-Black-Hat-886244/
KHaynesMar 2nd 2010 1:34PM
http://blogs.zdnet.com/security/?p=2941
Fritz WMar 3rd 2010 1:07AM
Up until recently this hack worked quite well at crashing flash allowing further exploitation to take place.
http://flashcrash.dempsky.org/
Flash is crap. I say this having watched crash about 10 times today on 5 different browsers.
Josh CarlsonMar 3rd 2010 12:06PM
Although he's won this contest twice, the fact that he would choose IE8 over firefox makes me suspicious of his Flash claims
JeremyMar 3rd 2010 2:52PM
The question was related to security. Many surveys and tests have found IE8 to be more secure than FireFox (at least current versions).
Josh CarlsonMar 3rd 2010 7:18PM
Yes, and many have shown Firefox to be more secure also. When it comes to zero-day exploits though, Microsoft doesn't have the best track record. with number of vulnerabilities found and time its taken them to come out with a patch.
spipasucciMar 3rd 2010 3:47PM
Read the article and I've gotta say, the title of this blog post is pretty misleading. The flash comment he makes is a very minimal part of all the questions he's asked... Seems to me less people would have trouble on the internet if they just took a few seconds to educate themselves on what not to click on and how to use basic protections that most every computer has...
Posts like this do nothing more than continue this ridiculous "flash-bashing" mentality that's been running rampant the past month or so...