Teaching Apple to fish

Pwn2Own winner Charlie Miller is taking a different approach this year when it comes to releasing the vulnerabilities he used to the vendors, in this case Apple, Microsoft, and Adobe. In an interview with Computerworld Charlie stated:

“We find a bug, they patch it, we find another bug, they patch it. That doesn’t improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can’t make them do that.”

From this observation Charlie decided he’s not just going to hand over the vulnerabilities to the vendors. Instead, he’s going to sit down, show them the method he used to find them, and let them do the actual work to find them.

“People will criticize me and say I’m a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them,” Miller said. “What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing.” That, Miller maintained, would mean more secure software.

I think this is a great approach. Instead of simply giving the vendors the fish, you’re helping them learn to fish and fishing for vulnerabilities in software is something they need to be doing more often anyways.

Microsoft has already implemented a fuzzing in its Security Development Lifecycle (SDL), so how the vulnerabilities made their way into PowerPoint presentation maker who knows. I’m not sure if Apple or Adobe already implement a form of fuzzing in their development process, or to what extent their SDL goes to for security — I’m hoping Adobe at least has some pretty stringent processes in place seeing as they are not the most targeted vendor in the world.

Either way, I love this approach; it puts a little more pressure on the vendors to fix their software and in the process hopefully shows them how simple it is to detect this stuff.