Hack Expert Says Windows 7 is Hard to Hack

Security expert Charlie Miller has participated in the Pwn2Own contest over the last two years, and has won both times. Held in the CansecWest Conference in Vancouver, British Columbia, Canada, the contest challenges contestants to find "big bugs" in web browsers, operating systems, and even in mobile devices. With the 2010 conference just around the corner (March 24), oneITsecurity conducted an interview with the champ and asked Miller which was harder to crack: Windows 7 or Snow Leopard?

"Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default)," he said. "Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows."

He also added that a safe browsing combination would be to use Chrome or Internet Explorer 8 on Windows 7, however he said that there isn't enough difference between the two browsers to "get worked up about." But he did emphasize that Flash not be installed no matter what browser or OS is used by the consumer.

The interview also covered exploits on game consoles. As the interviewer points out, the devices are in our living rooms, in our dens and offices, yet there are still few exploits and vulnerabilities discovered. Why aren't security researchers working on finding exploits on these devices? Because there are more PCs, and game consoles don't need to be connected to the Internet.

"I’ve had Wii for a year or so and its never been on the Internet," Miller said. "Its hard to remotely attack the box when you can’t get packets to it :) Also, computers, and phones to a lesser extent, are designed to be customized, to download and use/render content from the Internet. This is where vulnerabilities exist and exploits are created. Game consoles don’t do this as much so the attack surface is much smaller. The final reason, is it is hard to do research on them. Its not easy to get a debugger running on an Xbox, for example."

To catch the full interview, head here.

  • mrmoo500
    I thought macs never got virus...
    Reply
  • Abrahm
    mrmoo500I thought macs never got virus...No no, Macs never get any problems at all ever. Any issue is the users fault, or the fault of a 3rd party software developer. Nothing Apple makes ever has problems.
    Reply
  • skit75
    The "expert" identified 3rd party softwares (Java & Flash) as the primary intrusion point. Not much any OS can do if the backdoor is wide open, despite which ever "fanboy" tag you wear.
    Reply
  • jimmysmitty
    We will soon see the reason why Steve Jobs wears the black shirt. He is half ninja. I am sure this guy will be dead for saying Windows 7 was harder to hack.

    Ninja Steve.
    Reply
  • mrmoo500
    skit75The "expert" identified 3rd party softwares (Java & Flash) as the primary intrusion point. Not much any OS can do if the backdoor is wide open, despite which ever "fanboy" tag you wear.But in all the commercials they tell me they don't!!!
    Reply
  • officeguy
    What is the point of hacking anyhow. A challenge perhaps. There are plenty of other challenges out there in the world that are more productive. Hacking will only land you in jail, if you are not careful!!
    Reply
  • cyprod
    ...other than not default install the offending application.
    Reply
  • dman3k
    Seriously, Flash sucks. It is like IE; take the market leading position and sit on it. Go HTML5! I rather use Silverlight than Flash.
    Reply
  • Viruses are a non-issue from a security standpoint. No one should EVER get a virus, especially not in a business. If you get hit with a virus or worm, you should line up your IT staff and fire pink slips at them, then hire people who actually know how to properly build & manage IT systems.

    If security isn't an issue for Macs, then why is there a 50,000 strong mac botnet?

    Proper security is an issue for every platform. Security isn't a product, it's a process.
    Reply
  • maestintaolius
    officeguyWhat is the point of hacking anyhow. A challenge perhaps. There are plenty of other challenges out there in the world that are more productive. Hacking will only land you in jail, if you are not careful!!Well, of course, there is the whole monetary reason to get information as a pretty big point (even if it is illegal). But, one of the really good reasons to hack and have these hacking conferences is they expose the weaknesses in the OS or browser and allow the manufacturers a chance to fix them.

    That said, I'm not surprised flash is a major troublemaker. The only problem I've had in the last 4 years was a result of a flash advert installing a Trojan (and it wasn't even a porn site!). NoScript and ABP are just great.
    Reply