Apple + Security & Privacy

Security researcher Charlie Miller is planning to make public a number of vulnerabilities at the upcoming CanSecWest security conference in Vancouver, Canada. Among these bugs, Forbes reports, are 20 that affect Apple’s Preview, the program used to display PDF files and graphics. Miller has “found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF–or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page.”

Miller used a technique called “dumb fuzzing” to compare four different applications: Preview, Adobe Reader, Microsoft PowerPoint and OpenOffice. “He wrote a simple Python script–just five lines of code–that randomly changes one bit of a PDF or PowerPoint file, plugs the file into the target application to see if it crashes, and then changes another bit, repeatedly tweaking and testing.” Using this technique, he found ways to make programs crash – which is often the sign of a weakness that can be exploited – and, examining these crashes, found nearly 30 ways to take control of the affected program, 20 of which are in Preview.

Interestingly, Adobe Reader (and Acrobat) has long been a security risk, and we have recommended that users work with Apple’s Preview instead. The fact that Miller found 20 bugs doesn’t change this, because none of these vulnerabilities are being exploited, whereas the Adobe Reader and Acrobat flaws are actively exploited. For now, there’s nothing to worry about, but we’ll have to see what Miller presents at CanSecWest, and whether Apple reacts quickly to his disclosure.