Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

Posted by CmdrTaco on Sat Mar 29, 2008 11:02 AM
from the tough-nut-to-crack dept.
Security
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

Related Stories

[+] MacBook Hacked In Contest Via Zero-Day Hole in Safari 156 comments
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
[+] Apple: MacBook Air First To Be Compromised In Hacking Contest 493 comments
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
Firehose:Last year's CanSecWest winner repeats on Vista by Anonymous Coward
[+] Developers: Malware Modification Contest Has Antivirus Vendors Upset 167 comments
SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."
[+] Kraken Infiltration Revives "Friendly Worm" Debate 240 comments
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
[+] Technology: A Few Firefox 3 Followups 184 comments
An anonymous reader writes "Using data generated by the Mozilla Firefox download pledge page, the map on this blog post ranks countries, not by absolute number of pledges made, but rather on a per capita basis. This analysis yields some interesting conclusions about where open source is strongest and weakest." Anonymous Warthog writes "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released. Additionally, there was a posting on the Full Disclosure security mailing list from someone that purports to have another vulnerability in the works as well. In the grand scheme of things, this probably means nothing to the general security of Firefox, but you can be sure the browser zealots on all sides will be watching carefully." Finally, from reader Toreo asesino: "Microsoft have congratulated the Mozilla team by sending them their second cake (minus recipe) to Mozilla's Mountain View headquarters to congratulate them on shipping FireFox 3, which went live right on time last night." Congratulations are indeed due on both the browser and the release process — looks like the Firefox fever (despite some seriously taxed servers) resulted in more than 8 million downloads in 24 hours.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Popcorn anyone? (Score:5, Funny)

    by cizoozic (1196001) on Saturday March 29, @11:07AM (#22904894)

    How's that for fueling religious platform wars?
    Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!

    • Re:Popcorn anyone? (Score:5, Funny)

      by garett_spencley (193892) on Saturday March 29, @11:09AM (#22904914) Homepage
      "Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

      What kind ?

      And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!

    • Re:Popcorn anyone? (Score:5, Insightful)

      by call-me-kenneth (1249496) on Saturday March 29, @11:29AM (#22905026)
      What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

      • Re:Popcorn anyone? (Score:5, Informative)

        by Zero__Kelvin (151819) on Saturday March 29, @12:15PM (#22905314) Homepage

        "What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"
        It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

        The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."

        • Re:Popcorn anyone? (Score:5, Informative)

          by VertigoAce (257771) on Saturday March 29, @01:12PM (#22905696)
          Actually, IE on Vista runs with fewer permissions then a normal User account by default. It runs as a low-integrity process. This means that it loses access to most of the user's files (it has access to things like the temp directory for storing cookies, cache, etc.). See MSDN [microsoft.com] for details.

    • Re:Popcorn anyone? (Score:5, Funny)

      by phantomfive (622387) on Saturday March 29, @12:42PM (#22905508) Homepage Journal
      There's no religious war here. Ubuntu is clearly the best.

  • Software sucks. (Score:5, Interesting)

    by Anonymous Coward on Saturday March 29, @11:08AM (#22904900)
    A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

  • Hey! (Score:5, Funny)

    by spectrokid (660550) on Saturday March 29, @11:08AM (#22904906) Homepage
    it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!

      • Re:Hey! (Score:5, Informative)

        by calebt3 (1098475) on Saturday March 29, @11:51AM (#22905152)

        I don't see why the test includes third party software.
        Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

  • Something is Fishy (Score:5, Informative)

    by ThinkFr33ly (902481) on Saturday March 29, @11:39AM (#22905078)
    If the person on the Vista laptop was running IE 7 with the default configuration (protected mode [msdn.com] / UAC on), this should not have happened.

    Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

    For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

    I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

    Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

    So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

    I suppose one could argue that various defensive techniques like ASLR [msdn.com] should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

    Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

    • Re:Something is Fishy (Score:5, Informative)

      by benjymouse (756774) on Saturday March 29, @12:43PM (#22905514)

      Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.


      You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

      And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

      The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

      Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

      • Re:Something is Fishy (Score:5, Informative)

        by ThinkFr33ly (902481) on Saturday March 29, @12:10PM (#22905276)
        That is not correct. Protected Mode's low rights user has virtually no access to the system.

        Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.

          • Re:Something is Fishy (Score:5, Informative)

            by ThinkFr33ly (902481) on Saturday March 29, @12:50PM (#22905564)
            No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

            A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.
  • ... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

    • Re:Newsworthy? (Score:5, Insightful)

      by call-me-kenneth (1249496) on Saturday March 29, @11:26AM (#22905004)
      Hint: script kiddies don't tend to have 0day in the real world.

    • Re:Newsworthy? (Score:5, Informative)

      by kripkenstein (913150) on Saturday March 29, @12:01PM (#22905222)

      I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.
      Hmm, I disagree.

      First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

      Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

      Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

      Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

      I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).

      • Re:Newsworthy? (Score:5, Funny)

        by Anonymous Coward on Saturday March 29, @12:19PM (#22905342)

        In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.
        Yeah, they're open source and of dubious quality.

      • Re:Newsworthy? (Score:5, Interesting)

        by Henry V .009 (518000) on Saturday March 29, @12:31PM (#22905426) Journal

        Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.
        Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

        And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

    • Know this: no one uses linux on desktop,

      The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

      Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

      And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

      Well, anyway, sorry to have fed the troll.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.