Thanks for the interview. It's good to see Miller lay out his views in an even-handed way, without getting drowned out by the fanboys on both sides.

(Isn't Miller locally based as well?)

100% of all exploits in the wild are Windows exploits!

100% of this article and it's interpretations are lies concocted by Apple haters and Windows apologists.

There are NO OS-X exploits in the wild even though the morons have been saying any day now for ten years. The FACTS are if you don't want to have any concern about your computer being infected get a Mac. If you love having your computer infected continuously and paying the thousands of dollars that idiocy involves then continue using Windows and fantasizing about how Macs aren't "really" secure.

It's all you morons have got, self deception and a fifth rate OS.

@ rsfinn:
ISE is based in Baltimore, but Miller lives in St. Louis.

@Klink:
Thanks for the irrational knee-jerk reaction. It was expected.

What do you mean by "non-executable heap"? It's my understanding that a page has to be marked executable in order to run code from it. Neither the stack, nor allocable memory are marked executable in Mac OS X, certainly nothing into which a process can write data. Attempting to execute data will result in a fault. It is possible to make data executable, but you need to be able to execute code in the first place to accomplish that. What am I missing?

Mr. Miller has nothing to gain? I vehemently disagree!

In this story, he is assisted in pimping his book and he uses David Zeiler to keep pumping up his reputation. If his reputation ever falls into question - by, oh, I don't know, a reporter doing his or her JOB - then his means of making a living is threatened.

And we know Mr. Zeiler isn't doing his job by two pieces of evidence - in the above story Mr. Zeiler links to Mr. Miller admits he never obtained admin or root access on the Macs he "hacked". That is a huge red flag that deserved boatloads of follow-up questions. It appears Mr. Zeiler didn't even read the very article he links to!

Evidence item #2 : if Macs are as insecure as Mr. Miller would have us believe, and Mr. Miller is ostensibly a security consultant, then what business does Mr. Miller have using a Mac in the course of business?

This rings as hollow as a locksmith selling schlage locks, but using yale on his or her own house. It just doesn't make sense Mr. Miller would put client data at risk by using what he purports to be an insecure computer. Were I to be one of his clients, I would be hopping mad and demanding to know why my data is being put at risk by a "professional" security consultant.

Then again, this is nothing a professional reporter wouldn't already know if they were truly objective and intent on going where the evidence leads. HINT, HINT.

So yes, Mr. Miller has a great deal to gain and possibly everything to lose by saying and doing the things he does with the complicity of the easily duped, lazy MSM.

While I'm sure anyone who criticizes Charlie Miller will likely be labeled as a fan boy, etc. It's still worth mentioning a few issues.

For starters there is a very big difference between the term malware and a true virus / worm. Miller was able to take advantage of a Safari exploit by getting a user to click on a very special link. No doubt, that is scary, but he wasn't able to break OS X on it's own. It required specific user interaction. This is far different from creating an actual virus. It should be noted that Miller's opinion on the matter is just that, opinion. While I subscribe to the "anything is possible" theory, in reality, OS X has proven quite resilient to true virus and worm attempts. There have been multiple unsuccessful attempts. This is not simply a matter of security through obscurity as Miller presents. On the other hand, I agree that Macs would be under more attacks if their market share were higher.

Miller also incorrectly claims that Leopard doesn't have ASLR. That's not actually true. Technically, it does - Apple calls it Library Randomization. Though, the implementation is apparently flawed. Leopard's dynamic loaders (dyld) are loaded in the same place which makes Apple's implementation of ASLR fairly trivial for a security expert to bypass. This is expected to be addressed in Snow Leopard.

Much of what Miller says is true, except that he makes grand generalizations regard the security of platforms and somehow fails to mention inherent security design flaws in Windows/IE with items such as ActiveX controls, etc. This makes me wonder how familiar he actually is with the Windows side of the equation. He does claim that Macs are safer. Of course, that's an easy claim to make as statistics speak for themselves.

@Curious

On older processors you didn't have to mark a page as being execuable. It really didn't care it would run anything it was told to run. Or worse it was easy to flip these bits at runtime.

What is being discussed is enabling the Intel/AMD "Execute or Write" protection at the CPU level that appeared.. ermm.. 6 years ago, IIRC? This states a page (be it on stack, heap, or whatnot) cannot be writable and executable. Thus making it harder to do a "buffer overflow" then jump to that memory space to run your attack.

IIRC OpenBSD was the first to announce support for it years before Microsoft implemented it. Along with the random library loading functionality.

I truly love my Mac, and it would take an act of god to pry it from my cold dead hands, but everytime I see an installer need to invoke "sudo" to install an app I get very very concerned.

@Steve: "It's still worth mentioning a few issues. […] Miller was able to take advantage of a Safari exploit by getting a user to click on a very special link. No doubt, that is scary, but he wasn't able to break OS X on it's own. It required specific user interaction."

How is it an issue? Miller did just what he had to do to win the contest. This year's contestants were supposed to pwn a web browser on a Mac or a Windows PC with "no user interaction outside of a single click on a malicious link." And this scenario is realistic, since hackers are increasingly turning their attention to web browsers and third-party software.

http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

@Mouring

I have been doing kernel level programming for 15+ years. Even the 68K processors had the ability to protect executable memory from writes (OS 9 never used it though). The PPC processors are every bit as capable as the Intel processors. OS X, with the BSD kernel does protect executable memory from writes, and will not allow data pages (the heap?) to be executed. I think the claim that Charlie made "OS X lacks, specifically, ..., a non-executable heap" is just patently false -the absolute opposite of the truth. I don't know about the other claim related to Mac OS X lacking ASLR. It may be true, although someone else has already claimed that it is not strictly true.

Oh -yep, when you enter your admin password, all bets are off. You've given power of attorney away at that point :-) Trojans are the threat here, and a real one as we've seen in the last few weeks.

In your article you state "Miller and the company he works for – Baltimore-based Independent Security Evaluators – have nothing to gain"

Not true. Miller gained a new Mac and $5000 for the exploit

@mij
I meant he has nothing to gain by scaring ordinary Mac users on security. HIs company doesn't do business with ordinary users.
@Buster
The book directly relates to his credibility on the topic. And as Adam said, Miller engineered his exploit only to do enough to win the contest. Gaining administrator access woud have required more work. He never said he could not have done it.
As for #2, I didn't go into how Miller conducts his work. For that he could well use multiple machines which may or may not be Macs. You make a lot of assumptions here about how they store client data with no way of knowing ISE's policies. I didn't ask about any of that because my focus was on how Mac OS X vulnerabilities might affect typical end users.

I worry, as Miller does, that it will take a major public security disaster (e.g. thousands of online bank accounts being hacked) for Apple to take action. it's becoming clearer every day: If you don't make the mistake of confusing obscurity with security, Vista OS is more secure than OSX. Miller's correct that Mac may be safer due to much smaller market share, but that advantage may evaporate tomorrow, or last year.

OS X _was_ more secure pre- XP SP2 when all its ports were closed and Windows' were open. Also, OS X didn't have anything as dangerous as ActiveX was circa 199X to 2004 or whenever when the more gaping holes were patched.

Now I would suspect Vista is somewhat more secure. OS X is no slouch, but Apple has some work to do.

Bot
Patched Mac Fanbot

Good article...

All you Fanboys are lost, it reminds me of the liberal-conservative debate
Fanboys parade their ignorance and prejudice.

BTW I own both platforms and I am a techie (it’s my living since 95).

Awesome article. Anything that improves Mac OS X and the applications that run on it is good news for end users.

@Mr. Zeiler - I take it you *still* haven't read the article *you* linked to, because what you say just isn't true. I quote :

"Charlie: In neither case did I get root/admin access. That would have required additional vulnerabilities."

There was no mention of additional "work", but there was a mention of additional vulnerabilities needed. One infers Mr. Miller meant these vulnerabilities to not be available else he would have availed himself of them.

As for the remark of not knowing the set-up at ISE, yes we do know and I again quote :

"Charlie: I usually work on a pretty old MacBook that I've upgraded the hard drive on. Its been the computer that I had both times at Pwn2Own and its been in many countries with me like Korea, Japan, Australia, Malaysia, and of course, Canada."

There it is in his own words, Mr. Zeiler. There is no avoiding the conclusion he is putting client data at risk.

It's called 'basic research', and you should try it sometime Mr. Zeiler.

Now you can't claim you didn't know, Mr. Zeiler, because I have done the work of spoon feeding you. Go forth and be a reporter and ask the follow-up questions of Mr. Miller, which is what you *should* have done in the first place.

You state:

"Gaining administrator access woud have required more work. He never said he could not have done it."

Sorry, that's not logical. You make it sound as if he _could_ do it by stating that he never said he couldn't do it. He also never said he couldn't ride his bike to the moon. Does that mean that he could?

Speaking of installers that "invoke SUDO"..... What about Google Earth v. 5.0 for Mac? Letting processes run at their whim (the Auto Updater feature referred to in the SLA) ???

Did Google back down on that one yet?

@Buster: "There was no mention of additional "work", but there was a mention of additional vulnerabilities needed."

Sigh. Finding another vulnerability woud have required more work, useless work because it was not needed to win the contest.

@Buster: "if Macs are as insecure as Mr. Miller would have us believe, and Mr. Miller is ostensibly a security consultant, then what business does Mr. Miller have using a Mac in the course of business?"

It never occured to you that a security researcher, ex-NSA, knows how to harden his system? Besides, he said that Macs were less secure because of the lack of anti-exploitation technologies (ASLR is not fully implemented at the moment) but safer nonetheless. I quote: "Any security expert knows that Mac OS X is less secure than Windows. The question is which is SAFER. Because Mac OS X is still relatively rare, it is actually a little safer."

@Buster: You'd make your points more effectively if you'd moderate your tone a little bit.

Your jibes at David Zeiler not being a reporter would be more telling if he were, in fact, actually a reporter -- if you'd look up at the sidebar you'd see that his main job is as a page designer. It's lucky that the Sun allows him to indulge his interests in this blog, while the print side continues its inexorable slide towards oblivion. (Sorry, David. :-)

As for Miller not gaining root access: oh, good, he can only get to my personal data. Is that supposed to make me feel better?

As for the "client data" issue, please show me where Miller says he keeps client data on his MacBook; thanks.

What exactly is the point you're trying to make? If you're impugning Miller's reputation, well, I think the evidence here and elsewhere (including the fact that he's just published a book on Mac security, and that he's made his "no more free bugs" policy widely known) should be enough for people to make up their own minds.