Charlie Miller: Windows 7 + IE 8 or Chrome provides safest computing experience

If you weren't already aware, Charlie Miller is a rather prominent white hat hacker and security expert, who regularly makes headlines as what he has to say is generally pretty important. He often participates in (and has won twice) the Pwn2Own competition, where groups of hackers compete against each other for rewards, in order to uncover security flaws in major operating systems or browsers.

As the Pwn2Own 2010 competition is a couple of weeks away, interviews with the competitors are beginning to be released, with the aforementioned Charlie Miller giving his thoughts on the currently world of technology security. Miller was asked which of the two operating systems out of Windows 7 and Snow Leopard would be harder to hack, with the answer being the former; Windows 7 has what is known as full ASLR (address space layout randomization), in addition to being harder to attack as Java and Flash aren't installed by default. Upon being asked about the safest operating system plus browser combination, Miller responded with Windows 7 in addition to Internet Explorer 8 or Google's Chrome browser – though, he also stated that not having Flash installed is a big factor. He stated, "There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!"

On the subject of mobile security, the question was raised over which platform is most secure, out of the iPhone OS and Android. Miller believes that the iPhone OS is easier to exploit, though that is because it has been around for longer, so security researchers have had a longer time to find vulnerabilities. Windows Phone 7 is a potential target for next years Pwn2Own, which is nothing but a good thing as it'll help out the consumers who use it regularly. 

It's interesting to hear what an experienced security expert has to say on the matter which has been discussed. Be sure to stay attentive during the end of March when this year's Pwn2Own is held, as it affects almost everybody.

Report a problem with article
Previous Story

Microsoft releases Facebook application for Zune HD

Next Story

AT&T removes Google search from Android

65 Comments

Commenting is disabled on this article.

So the main thing is not to install flash.........the internet wouldn`t be anywhere near as entertaining if it weren`t for flash.
I know others would take it`s place if it wasn`t there, who doesn`t install flash?

Riggers said,
So the main thing is not to install flash.........the internet wouldn`t be anywhere near as entertaining if it weren`t for flash.?

I'm afraid I disagree with you. I only install Flash so I can watch Flash Video's. I detest sites that use slow load flash images to stroke corporate egos. I use Firefox FlashBlock, along with BetterPrivacy, so I can control Flash, and delete their despicable "super cookies".
Google are now competing with Microsoft at Satan's top table. IMO, anyone installing Google Chrome is supping with the devil. I wonder how many people realise how much of their surfing is being "data mined" by Google (and others). Big brother is watching every mouse click!

boho said,

I'm afraid I disagree with you. I only install Flash so I can watch Flash Video's. I detest sites that use slow load flash images to stroke corporate egos. I use Firefox FlashBlock, along with BetterPrivacy, so I can control Flash, and delete their despicable "super cookies".
Google are now competing with Microsoft at Satan's top table. IMO, anyone installing Google Chrome is supping with the devil. I wonder how many people realise how much of their surfing is being "data mined" by Google (and others). Big brother is watching every mouse click!

How the unique (and non-unique) IDs are used by Google is publicly mentioned: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=107684
Do you have any other evidence on the contrary to back your claims up?

This guy is an absolute idiot, I'm pretty sure LYNX on FreeBSD provides much better security.
No javascript, so it'd be darn hard to exploit that.

n_K said,
This guy is an absolute idiot, I'm pretty sure LYNX on FreeBSD provides much better security.
No javascript, so it'd be darn hard to exploit that.

Wow really now? I think you're an idiot because not connecting my computer to the Internet provides much better security than Lynx on FreeBSD.
No Internet, so it'd be darn hard to exploit that.

Edited by -Razorfold, Mar 2 2010, 11:12am :

n_K said,
This guy is an absolute idiot, I'm pretty sure LYNX on FreeBSD provides much better security.
No javascript, so it'd be darn hard to exploit that.
The only idiot here seems to be you, not being able to read the article.

n_K said,
This guy is an absolute idiot, I'm pretty sure LYNX on FreeBSD provides much better security.
No javascript, so it'd be darn hard to exploit that.

"Miller was asked which of the two operating systems out of Windows 7 and Snow Leopard would be harder to hack..."

I fail to understand how this is safer than any Linux distro (especially the majority that don't bundle Flash, and he's making a strong point about it as a benefit to Windows) in combination with Firefox or Chrome. Or is he only comparing Windows and OS X?

Symod said,
I fail to understand how this is safer than any Linux distro (especially the majority that don't bundle Flash, and he's making a strong point about it as a benefit to Windows) in combination with Firefox or Chrome. Or is he only comparing Windows and OS X?
From the article (if you read it): "Miller was asked which of the two operating systems out of Windows 7 and Snow Leopard would be harder to hack [...]"

Until IE is capable of keeping up with web standards I couldn't care less how secure it is. Developers for IE have just got lazy over the years and losing market share is nothing more than they deserve.

TSO said,
Until IE is capable of keeping up with web standards I couldn't care less how secure it is.

Nose, spite, face!
Can't believe that many would choose to knowingly run a less secure browser in preference to one that has less adhesion to standards :)

TSO said,
Until IE is capable of keeping up with web standards I couldn't care less how secure it is. Developers for IE have just got lazy over the years and losing market share is nothing more than they deserve.

Ie 8 is standards compliant. css3 and html 5 are drafts so are not standards. i dont understand where this argument comes from. i think people assume it should have html 5. ie 9 will probably have support for both. ie6 was also, when released, the most standards compliant browser there was, hard to believe i know, you cant expect a 10yo browser to be compliant tho.
ie8 behaves almost identically to firefox and chrome when designing websites.

20legend said,

Nose, spite, face!
Can't believe that many would choose to knowingly run a less secure browser in preference to one that has less adhesion to standards :)


When I browse the internet I wish to do so to its FULL potential. So long as you're running a suitable AV/firewall and happen not to be complete moron, browsers such as Firefox/Opera are perfectly adequate alternatives to the almighty IE.

Seriously, IE8 still doesn't even properly support CSS3 yet. IE may have had a great past, but the present and future of this browser I care very little for right now.

the better twin said,

Ie 8 is standards compliant. css3 and html 5 are drafts so are not standards. i dont understand where this argument comes from. i think people assume it should have html 5. ie 9 will probably have support for both. ie6 was also, when released, the most standards compliant browser there was, hard to believe i know, you cant expect a 10yo browser to be compliant tho.
ie8 behaves almost identically to firefox and chrome when designing websites.

I couldn't care less if they are drafts or actual standards, AFAIK if Firefox and Safari can add decent support for CSS3 and the like, then I expect Microsoft to be able to do the same with IE8. IE is getting left behind by all the other browsers, and I don't expect that to change any time soon.

Edit: Good luck waiting another year or two for Internet Explorer 9 which MAY offer better support for CSS3/HTML5.

Edited by TSO, Mar 2 2010, 9:48am :

TSO said,

I couldn't care less if they are drafts or actual standards, AFAIK if Firefox and Safari can add decent support for CSS3 and the like, then I expect Microsoft to be able to do the same with IE8. IE is getting left behind by all the other browsers, and I don't expect that to change any time soon.

ie 9 is adding css3 and html 5 support, in addition to hardware and DirectX graphics and text rendering. doubt you will ever use it tho

TSO said,

I couldn't care less if they are drafts or actual standards, AFAIK if Firefox and Safari can add decent support for CSS3 and the like, then I expect Microsoft to be able to do the same with IE8. IE is getting left behind by all the other browsers, and I don't expect that to change any time soon.

Edit: Good luck waiting another year or two for Internet Explorer 9 which MAY offer better support for CSS3/HTML5.

Whats the point of using CSS3/HTML5 when its not finalized yet?... IE8 isn't left behind other browsers because it doesn't support stuff that isn't even finished.!

TSO said,
Seriously, IE8 still doesn't even properly support CSS3 yet.

BLA BLA BLA. You don't listen what you are told. Stop trolling and go away.

Edited by RealFduch, Mar 2 2010, 10:56am :

TSO said,

I couldn't care less if they are drafts or actual standards, AFAIK if Firefox and Safari can add decent support for CSS3 and the like, then I expect Microsoft to be able to do the same with IE8. IE is getting left behind by all the other browsers, and I don't expect that to change any time soon.

Edit: Good luck waiting another year or two for Internet Explorer 9 which MAY offer better support for CSS3/HTML5.

From what I've heard of IE9, it and Opera are the only ones that are truly supporting CSS3 so far. Mozilla and Webkit both require brand prefix "hacks" that produce invalid code.

Take the box-shadow attribute for example. In Mozilla, it's -moz-box-shadow. In Webkit, it's -webkit-box-shadow. In IE9 (and Opera) it's box-shadow, which is the correct and future name of the attribute.
For now, we have to go out of our way to support Mozilla and Webkit with CSS3 today.

TSO said,

I couldn't care less if they are drafts or actual standards, AFAIK if Firefox and Safari can add decent support for CSS3 and the like, then I expect Microsoft to be able to do the same with IE8.

I'm glad IE8 doesn't support CSS3 because it isn't final yet, and very likely will change. Imagine if everyone started using CSS3 and HTML5 on their sites, and then in a couple years CSS3 and HTML5 final come out and break everything.

Sounds like all kinds of fun to me!

TSO said,

When I browse the internet I wish to do so to its FULL potential. So long as you're running a suitable AV/firewall and happen not to be complete moron, browsers such as Firefox/Opera are perfectly adequate alternatives to the almighty IE.

Seriously, IE8 still doesn't even properly support CSS3 yet. IE may have had a great past, but the present and future of this browser I care very little for right now.


Last time Microsoft implemented non-standard features into IE people complained about they not being standards-compliant. Now they are standards compliant (IE is the only browser fully supporting CSS 2.1 which is a standard--CSS 3 is still a draft) and people complain about that instead.

Lets take a look at corner radius for example, which is not supported in CSS 2.1. Mozilla have done their own implementation as have Apple with Webkit (-moz-border-radius and -webkit-border-radius respectively). Thats not how we web developers want it.

Sorry guys, I forgot this was a "Microsoft can do no wrong" website. No better than Apple fanboys, any of you...

EDIT-

RealFduch said,

BLA BLA BLA. You don't listen what you are told. Stop trolling and go away.

Just because someone has a different opinion to your narrow minded views doesn't make them a troll, I suggest YOU take YOUR narrow minded views and bugger off yourself.

Edited by TSO, Mar 2 2010, 3:09pm :

JonathanMarston said,

I'm glad IE8 doesn't support CSS3 because it isn't final yet, and very likely will change. Imagine if everyone started using CSS3 and HTML5 on their sites, and then in a couple years CSS3 and HTML5 final come out and break everything.
Sounds like all kinds of fun to me!

I am pretty sure that if everybody starts using them (i.e., there is a significant market adoption), in almost all likelihoods the spec won't change, even if it is wrong. Because that would break everything.

Baines said,
From what I've heard of IE9, it and Opera are the only ones that are truly supporting CSS3 so far. Mozilla and Webkit both require brand prefix "hacks" that produce invalid code.

This is ON PURPOSE. The prefixes exist because it's implementation of specs that aren't (or weren't) quite finalized and stable. Once they are, the prefixes are no longer required. It's to ensure people don't rely on old/broken implementations.

Kirkburn said,

This is ON PURPOSE. The prefixes exist because it's implementation of specs that aren't (or weren't) quite finalized and stable. Once they are, the prefixes are no longer required. It's to ensure people don't rely on old/broken implementations.

Oh I know that. I was just saying, CURRENTLY we have to do more work to add CSS3 features in those browsers. Sorry if you misunderstood my post.

Never heard of this fella before this, but I'm not changing main browser just yet because he needs to promote his sponsors.

kaffra said,
Never heard of this fella before this, but I'm not changing main browser just yet because he needs to promote his sponsors.

His sponsors? Haha. Wow. I needed a good laugh.

kaffra said,
Never heard of this fella before this, but I'm not changing main browser just yet because he needs to promote his sponsors.

Paid comments on Neowin? I suppose Mozilla Corp. is paying you with the money Google gave them for bundling Google's keylogger with Firefox.

RealFduch said,
Paid comments on Neowin? I suppose Mozilla Corp. is paying you with the money Google gave them for bundling Google's keylogger with Firefox.
Pot, kettle, black. Don't reply to stupid comments with stupider comments.

Kirkburn said,
Pot, kettle, black. Don't reply to stupid comments with stupider comments.

Your post is somewhat ironic considering his post was sarcastic.

Athernar said,
Your post is somewhat ironic considering his post was sarcastic.
If it was, it wasn't very obvious. I've seen people make that same comment in a serious discussion :(

Kirkburn said,
If it was, it wasn't very obvious. I've seen people make that same comment in a serious discussion :(

I dunno, seemed pretty sarcastic to me. Ah, the internet... gotta love all the misunderstandings, hmm?

I'm surprised IE made his list after all the **** it's collected over the years. Also surprised Chrome is that secure, though.

I think IE9 will be fast like Chrome. Microsoft never fail in competition. The only thing stops them is Motivation.

satus said,
I think IE9 will be fast like Chrome. Microsoft never fail in competition. The only thing stops them is Motivation.
lol, IE has been losing market share even since IE 7 was introduced, and that's definitely not due to a lack of motivation to regain the web by MS.

satus said,
I think IE9 will be fast like Chrome. Microsoft never fail in competition. The only thing stops them is Motivation.

They failed with the zune hd...

Biglo said,
They failed with the zune hd...
No they didn't? That is unless you define fail as "not being 1st", which is ridiculous.

Edited by Kirkburn, Mar 2 2010, 2:02pm :

I don't see how IE is slow / or can be slow. Fast Internet connections and most computers being able to mash out numbers at staggering rates.

Lepton said,
IE? Yeah right

What do you mean? IE 7/8 on Windows 7 (which is the topic) use a security sandbox like Chrome, and unlike Firefox. In case you've missed it, there's been numerous dysfunctional exploits on this software combination and it's probably saved IE from a dozen of attacks by now. (and yes, Vista will do just as fine, but that's Vista)

The sandbox was a major reason Chrome won the Pwn2Own competition, so it's a notable security feature also in real-world scenarios and not just on paper.

The security edge Chrome has over IE is however that it has implented its sandbox so it functions on XP as well (and OS X and Linux), unlike IE 7/8's model.

Edited by Northgrove, Mar 2 2010, 7:52am :

Lepton said,
IE? Yeah right

IE 8 is slow but it is the most secure browser.
I use Chrome as fulltime now.I have been using IE 8 till last year end....
security features like Sandbox is a plus in chrome and IE8... You might think whats big about sandbox but thats what make the hacker hard to hack..

Lepton said,
IE? Yeah right

Read the article first please.

If people take the anti-Microsoft blinders off they can see that IE8 is a great browser. Mozilla and Google have yet to offer any substantial reason to switch.

Or keep the blinders on and pretend that IE is as evil as Mozilla and Google would have you believe, it's your choice ;)

Lepton said,
IE? Yeah right

I suppose you would know better than him?

Just because IE8 is slower than chrome/firefox does not mean it is less secure.

Glad to hear they think IE8 has security on par with Chrome, but until Microsoft figures out that SIMPLE is better and SPEED makes all the difference, I'll stick to Chrome. =)