This blog post was written in seconds*
Kevin LongMarch 23rd, 2009
It was easy to find fault with the coverage and hacker worship that accompanied a recent exploit-writing contest held at a security conference, but it was tough to decide on a title for this post. A few came to mind, such as the following:
- News flash: Computer users can hurt themselves!
- Warning: Hackers can pwn boxes to which they have physical access!
- Amazing! Computers can do things quickly!
Two individuals are receiving accolades because they wrote code that exploits a very old attack vector and received laptop computers as a reward. The code is new but the story is old.
This reiterates our ongoing recommendation that users not click on links they are not expecting, especially if they come from unfamiliar users or sites. If the reward for compromising a given system is sufficient, exploit code can be crafted for a targeted attack.
Another unfortunate aspect of this story, however, is the sensationalism utilized in its coverage. Users have been able to hurt themselves for a long time, and it’s likely they will retain the ability to do so for the foreseeable future. The takeaway is to beware of what you click.
The most inexplicable aspect of the coverage, however, was that so many stories reported the browsers being compromised in seconds. The exploit code utilized in these attacks was developed over hours if not days. The writers were not suddenly presented with software to which they had never before been exposed. If the writers are surprised that the code was executed in seconds, it suggests they were not familiar with the fact that computers do most things in seconds (if not less time).
* Actually, this blog post was published in seconds
Tags: browser exploit, browser security, firefox security, hack, hacker worship, Hype, ie8 security, Information Security, InfoSec, pwn2own, safari security, sensationalism
