March 23rd, 2009
Nils2Own: 'I want to see security flaws fixed'
VANCOUVER, BC — Charlie Miller may have dominated the headlines but the undisputed champion of this year’s CanSecWest Pwn2Own contest was a hitherto unknown hacker who asked to be identified simply as “Nils.”
A day after his perfect sweep of the breaking into fully patched default configurations of all three main Web browsers — Microsoft Internet Explorer, Mozilla Firefox and Safari for Mac OS X — the researcher sat down with me to explain his motivations, the reasons he opted not to sell the vulnerabilities for big money and to spread the word that he’s looking for a job after completing his studies.
Ryan Naraine: So, who are you?
Nils: My name is Nils. I’m 25-years-old and I’m a student at the University of Oldenburg in Germany. I’m currently writing my Masters thesis in computer science.
Why the reluctance to share your last name? No interest in the publicity that comes with this?
Actually, I am in it for the headlines. I’m finishing school in September and I’ll be looking for a job. I came here to network and [use Pwn2Own] to show what I can do. The people who are likely to hire me will be here.
The problem with the full name is having all kinds of people try to contact me to talk about buying vulnerabilities. I’m not interested in selling that information to strange people. I understand bugs have value and I’ve sold bugs before but only to TippingPoint ZDI because I want the bugs to be reported to the vendor and I want to see them fixed.
There are people saying you basically gave away “high value” bugs that could have been sold for big money…
Vulnerabilities are only valued highly by companies or organizations who aren’t interested in getting them fixed. I don’t want to participate in that. I like to see my bugs gets fixed. During the two days [at CanSecWest], I was able to sit with vendors like Microsoft and Mozilla to work on getting these things fixed.
[ Charlie Miller: "No more free bugs" ]
I’m not interested in selling bugs to strange organizations. Those are the people paying high prices but they’re also not interested in getting them fixed.
Do you specialize in browser vulnerabilities?
I’d say I specialize in client-side bugs. I’ve reported a lot of client-side bugs [through ZDI], in PDF Readers and in Java. But I like to look at problems in browsers. The majority of my reported bugs are in browsers, whether it’s IE or Firefox or Safari.
Let’s go through your accomplishment here. On a scale of 1-10, how do you rate the difficulty of exploting these bugs. Start with Safari on Mac OS X…
For that bug, I’d rate it a 5. Not because Safari on Mac is a harder target but because of the kind of vulnerability. I can’t say much about it (because of an NDA signed with conference sponsors) but it was harder to find that bug on the Mac. Writing the exploit for Mac was the easy part.
Dino [Dai Zovi] had a great quote during his talk [.pdf]: “Exploit writing on the Mac is fun. Exploit writing on Windows Vista is hard work.” I totally agree with that.
Mac OS X Leopard did not implement randomization properly so it’s very easy to get your exploit to work. I’m looking forward to seeing what they [Apple] do with Snow Leopard.
How about the Firefox on Windows exploit?
Let me correct something. It was a Firefox on Mac OS X vulnerability and exploit. The bug does affect Windows but, honestly, it’s way harder to get the code to run reliably on Windows. That’s the reason I did my Firefox attack on the Mac. I’m not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). On the Mac, I could trigger it and exploit it easily.
For that reason, I’d rate it a 3 in terms of difficulty. The vulnerability was nice. You get get a lot of control over what you can do and just execute your code. Just place the code in memory. You can spray it and it’ll be in a predictable area. On Mac OS X, there’s no ASLR or DEP, so you can just [snaps finger], execute it and it will work.
IE 8 on Windows 7?
I came here with that vulnerability. It’s another nice bug but it was really, really difficult to write the exploit because of those ASLR and DEP. I had to use some techniques around those mitigations and make a lot of preparation to make it a reliable exploit. It was very, very hard.
Did you use the Dowd/Sotirov techniques from Black Hat last year?
I really appreciated their work [smiles].
Does it affect earlier versions of IE?
I don’t know. I wasn’t able to trigger it in IE 7. With every new browser version, vendors introduce new features and technologies and make changes to existing technologies. Obviously, with new code comes new risks.
I spoke to Microsoft afterwards. They got a copy of the exploit from my laptop after the contest and they seem really, really eager to get the details quickly and start working on a fix.
[Note: Microsoft has since reproduced and validated the vulnerability and has kick-started its security response process ]
Did you come here with a plan to hit all three major browsers?
Yes. I had the IE 8 and Safari things ready. They were tested ahead of time. I didn’t have the Firefox bug completed. I arrived on Sunday and worked through Tuesday to get that exploit ready.
My plan was to hit all the big browser engines. Browsers are insecure and that’s my area of interest. Ideally, I want to find a job that allows me to work on client-side weaknesses, either on Windows of Mac OS X.
Last word?
It’s best if end users know that they can be exploited on any browser and on any operating system. In general, exploitation on Windows got harder but it’s not impossible. All the browser engines are getting better at security. It’s much harder to find a vulnerability these days but there are all kinds of other problems with add-ons and third-party dependencies.
People need to know that bad things can happen while you surf the Internet, regardless of what you use. Software vendors should also concentrate on making it harder to exploit flaws. Bugs are always going to be there but they have to work on making it tougher for attackers.
* Nils2Own headline credit goes to Ivan Krstic. Photo used with permission from Garrett Gee at InfoSec Events.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
