Web Browser Security: Cracked in minutes

There was a hacking contest at the [CanSecWest 2009 security conference](http://cansecwest.com/) this past week, and it proved that web browsers still aren’t secure. Here’s [the report](http://www.heise.de/english/newsticker/news/134843):

> Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X in a matter of seconds.

> Following Miller, a 25 year old computer science student at the University of Oldenburg in Germany, who went by the name of ‘Nils’, used an exploit on Microsoft’s Internet Explorer 8 circumventing the latest Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR)… he then demonstrated an exploit for Safari and Mozilla’s Firefox.

What does this mean for me and you? That if a well organized group or well funded organization wants to, they can and will hack your machine.

I think there’s an extremely high likelihood that these hackers exploited a hole in JavaScript or Flash, not in the web browser’s rendering of HTML itself. Running untrusted code from random sites never has been, and never will be, without security risk. That’s why I use the [NoScript](http://noscript.net/getit) Firefox extension. Unfortunately, it makes many sites confusing by reducing the “richness” of the web browsing experience, and can even break online shopping.

Is there a moral of the story here? Life is risky. Surfing the web is risky. By avoiding all risk, there is no opportunity, no life.