Forgot your password?
typodupeerror
Security

Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337

Posted by CmdrTaco
from the tough-nut-to-crack dept.
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
This discussion has been archived. No new comments can be posted.

Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

Comments Filter:
  • by Anonymous Coward

    Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"


    It depends what kind of exploit that was.
    • Re: (Score:2, Interesting)

      by brassman (112558)
      I find the timing odd, in that all my copies of Firefox updated themselves from 2.0.0.12 to .13 the day before the contest. Wonder what would have happened if the contest had been started two days sooner... or two days later, for that matter?

      Or is 2.0.0.13 comparable in any way to Safari 3.1?

      Security (is|as) a moving target....

      • by kesuki (321456) on Saturday March 29, 2008 @04:01PM (#22906660) Journal
        well, firefox updating the day before a hacking contest would indeed make the ubuntu platform (the only one where firefox is default) the most secure, but one would think that if firefox is going to play that way, that Microsoft would release any patches they had in development the day before too, to be on the same playing field.

        the fact that apple got cracked first, and presumably in a safari exploit shows that apple does not have the kind of security resources of either firefox (supported by aol, and google) or Microsoft can bring to a competition. Since the Microsoft vista system was taken out by an adobe vulnerability, and I often hear of adobe products having security holes, they might be in the same kind of boat as apple when it comes to releasing security patches.
        • Re: (Score:3, Insightful)

          by Allador (537449)
          The interesting thing here is that if the Flash vuln was running on IE, it should have been ineffective against the OS, unless somehow the Flash executable somehow creates an escalation vulnerability in the OS (which obviously is silly).

          I wonder if Flash was attacked via Firefox, or in some other fashion. Through IE, running as a non-admin and with the IE7 on Vista sandboxing, any vuln in flash should have been pretty useless in owning the OS.

          I wish there were more details posted.

          Also interesting that the
      • I note that Windows and Mac can run firefox too. The ONLY reason that ubuntu won is because it can't run Safari, or IE.

        My kid's pretend Leap-frog computer also can't run a browser or even connect to the internet. Clearly it is much safer than ubuntu.
        • Re: (Score:3, Informative)

          by fonik (776566)
          That leapfrog trades a lot of features to gain that security. Since Firefox doesn't sacrifice features... well, yeah, it really IS better.
    • by kesuki (321456) on Saturday March 29, 2008 @04:27PM (#22906814) Journal
      I realize this is slashdot, so for those who didn't read TFA the contest was to in a 30 minute attack slot, read the contents of a specific file, in a specific folder. each day different exploits could be tested, but only popular software that is normally installed counted.

      day one were pure network attacks nobody got in on day one. day 2 was email and url based attacks. only the mac got won on day 2. on day 3 you could add non default but popular software from a list (couldn't find the list anywhere on the net, sigh) and adobe flash was vulnerable, so the vista machine got taken.

      Ubuntu held up for all 3 days, but because only popular and default software could be added, this could bring a false sense of security. there are many ways to 'design' a supposedly open source software package on say, sourceforge.net but to have a compromised binary that was made with slightly altered source code... to get a trojan on a linux system. repositories tend to be fairly well monitored, but there have been times where applications that are trojans have gotten into widely used repositories. as far as i can tell, sourceforge has no real method for testing if software contains trojans or not, so it's purely up to the community that uses sourceforge to report bad software, etc. i imagine that freshmeat is the same, and many many linux users use sourceforge or freshmeat to find specific linux applications they need or want...

      maybe there aren't enough linux users yet to make this a huge issue, but with Microsoft's brand image going south (kinda the way IBMs did in the 90s) linux is sure to be finding more and more people who would rather deal with OSS than with bill gates.
  • by cizoozic (1196001) on Saturday March 29, 2008 @11:07AM (#22904894)

    How's that for fueling religious platform wars?
    Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!
    • by garett_spencley (193892) on Saturday March 29, 2008 @11:09AM (#22904914) Journal
      "Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

      What kind ?

      And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!
    • Re: (Score:2, Interesting)

      by nofrak (889021)
      To celebrate the winner, may I suggest free beer [freebeer.org]?
    • Re:Popcorn anyone? (Score:5, Insightful)

      by call-me-kenneth (1249496) on Saturday March 29, 2008 @11:29AM (#22905026)
      What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)
      • Re:Popcorn anyone? (Score:4, Insightful)

        by SpzToid (869795) on Saturday March 29, 2008 @11:52AM (#22905168)
        I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

        So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.
        • Re: (Score:3, Insightful)

          by Allador (537449)
          Actually, I'd say you've got it backwards.

          On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.

          But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to
      • Re:Popcorn anyone? (Score:5, Informative)

        by Zero__Kelvin (151819) on Saturday March 29, 2008 @12:15PM (#22905314) Homepage

        "What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"
        It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

        The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."
    • by popmaker (570147)
      I'll make the popcorn!
    • by phantomfive (622387) on Saturday March 29, 2008 @12:42PM (#22905508) Journal
      There's no religious war here. Ubuntu is clearly the best.
  • Software sucks. (Score:5, Interesting)

    by Anonymous Coward on Saturday March 29, 2008 @11:08AM (#22904900)
    A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!
    • Re: (Score:3, Insightful)

      by robo_mojo (997193)
      While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.

      Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.

      Software will suck as long as speed is more important than correctness.
  • Hey! (Score:5, Funny)

    by spectrokid (660550) on Saturday March 29, 2008 @11:08AM (#22904906) Homepage
    it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!
    • It's interesting that the 2 vulnerable attack vectors are from the 2 companies that have the largest Mac user-base. Apple (Safari) and Adobe (Flash).
  • Newsworthy? (Score:4, Insightful)

    by MisterFuRR (311169) on Saturday March 29, 2008 @11:08AM (#22904908) Journal
    I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.
    • Re:Newsworthy? (Score:5, Insightful)

      by call-me-kenneth (1249496) on Saturday March 29, 2008 @11:26AM (#22905004)
      Hint: script kiddies don't tend to have 0day in the real world.
    • Re:Newsworthy? (Score:4, Informative)

      by tolan-b (230077) on Saturday March 29, 2008 @11:56AM (#22905192)
      They created their own exploits.
    • Re:Newsworthy? (Score:5, Informative)

      by kripkenstein (913150) on Saturday March 29, 2008 @12:01PM (#22905222) Homepage

      I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.
      Hmm, I disagree.

      First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

      Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

      Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

      Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

      I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).
      • by Anonymous Coward on Saturday March 29, 2008 @12:19PM (#22905342)

        In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.
        Yeah, they're open source and of dubious quality.
      • Re:Newsworthy? (Score:5, Interesting)

        by Henry V .009 (518000) on Saturday March 29, 2008 @12:31PM (#22905426) Journal

        Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.
        Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

        And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.
    • I haven't found the 3rd-party list yet, but was Flash also installed on the Ubuntu laptop?

    • Re: (Score:2, Insightful)

      by gbickford (652870)
      This small focus group of participators are not script kiddies. They publicly represent the people that do not want a public representation and do not want their unknown exploits exposed to the public eye for the mere price of a laptop or even a $10,000USD cash prize. The lurkers want bot nets and relay servers. The unseen want to be able to bend the entire internet. This information is only worth money if people do not know it.

      The people that participate in this are like magicians selling their secrets at
      • by CastrTroy (595695)
        I believe that a lot of people would be happy to slap that on a resume. It could be quite useful in getting nice job.
  • by lilomar (1072448) <lilomar2525@gmail.com> on Saturday March 29, 2008 @11:10AM (#22904924) Homepage
    So Linux is more secure than Windows? What else is new?
  • by zappepcs (820751) on Saturday March 29, 2008 @11:11AM (#22904926) Journal
    that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows. (Car analogy) It's like seeing Kia in a road rally, sort of surprizing but after a couple of years competing people begin to just accept that they have the balls to keep it up and to compete.

    Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?
  • by Provocateur (133110) on Saturday March 29, 2008 @11:12AM (#22904930) Homepage
    ...that we christen the unharmed laptop 'Cowboy Neal'
  • Something is Fishy (Score:5, Informative)

    by ThinkFr33ly (902481) on Saturday March 29, 2008 @11:39AM (#22905078)
    If the person on the Vista laptop was running IE 7 with the default configuration (protected mode [msdn.com] / UAC on), this should not have happened.

    Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

    For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

    I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

    Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

    So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

    I suppose one could argue that various defensive techniques like ASLR [msdn.com] should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

    Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.
    • by Utopia (149375)
      As I understand, UAC/protected mode only protects critical areas like windows system areas and program files.
      I am guessing the file for the contest was stored in a non-critical area.
      • by ThinkFr33ly (902481) on Saturday March 29, 2008 @12:10PM (#22905276)
        That is not correct. Protected Mode's low rights user has virtually no access to the system.

        Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.
        • by Utopia (149375)
          Really? I was under the impression that protected mode does allow user file reads even in low-rights mode; but prevents writes or directory traversal etc. (So you have to know the filename & path beforehand to read it)
          • by ThinkFr33ly (902481) on Saturday March 29, 2008 @12:50PM (#22905564)
            No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

            A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.
            • by Kalriath (849904) * on Saturday March 29, 2008 @04:08PM (#22906698)
              Except that... get this... FLASH HAS A BROKER PROCESS. Protected mode cannot stop Flash doing stupid stuff because Adobe in their infinite wisdom decided they really needed that unfettered system access and created a Flash Broker. And to top it off, the Flash installer adds the Flash Broker as a "Don't prompt me again for allowing this application outside protected mode to be called" program.

              I don't even know why Microsoft bothers trying to secure stuff when morons like Adobe just go and fuck it up.
    • Re: (Score:3, Insightful)

      by Rary (566291)

      This says absolutely nothing about Vista security.

      Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

      • by david_thornley (598059) on Saturday March 29, 2008 @01:32PM (#22905812)

        Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.

    • by benjymouse (756774) on Saturday March 29, 2008 @12:43PM (#22905514)

      Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.


      You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

      And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

      The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

      Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

  • 1 day later. (Score:3, Insightful)

    by Lulfas (1140109) on Saturday March 29, 2008 @11:42AM (#22905096)
    Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.
    • Re: (Score:2, Insightful)

      Or rather, security through obscurity takes longer. Which is kind of the whole point.
    • Re: (Score:3, Insightful)

      by c_forq (924234)
      On the other hand Webkit http://www.webkit.org/ [webkit.org] is open source, and the Mac was exploited through Safari. So this same case could be used as an argument that open source is more easily/quickly exploited.
  • by LaughingCoder (914424) on Saturday March 29, 2008 @11:43AM (#22905102)
    ... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.
    • Hey good for you, some of us work in industries where adobe products are the standard and running anything else will result in lost business.
      • I will hasten to point out the same holds true for Windows. Of course that doesn't necessarily mean it's great stuff -- just that it's managed to become a defacto standard.
    • . And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well .

      Given that it takes about 10 seconds to launch Adobe Photoshop CS3 (that's their heavyweight" photo product) on my dual-core laptop with "non-RAIDed SATA" laptop drive), and PDFs don't bring my system to its knees...

      ...I'd say there's something wrong with your laptop (or

    • Re: (Score:3, Insightful)

      by Fweeky (41046)

      It brings any machine to its knees as it consumes every available resource while rendering a simple document

      Not seen that. I did try FoxIt Reader when I found a rather complex pdf of a world map of submarine optical fibre connections was rendered painfully slowly, but FoxIt was even slower. I upgraded to Adobe Reader 8, and now it's actually fairly smooth; something that'd take FoxIt or Adobe Reader 7 a good 3-10 seconds to render will take under a second and once drawn, scroll smoothly.

      At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time

  • "How's that for fueling religious platform wars?"

    Wow. I guess the story posters here really *do* like all of the "X OS is sooooo better than Y OS" comment threads. =p Flame on, SD community. Flame on.
  • Sandbagging? (Score:3, Insightful)

    by joetheappleguy (865543) on Saturday March 29, 2008 @02:11PM (#22906038) Homepage
    Same 2 guys win by cracking the same platforms they won on last year.

    I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.
  • by DECS (891519) on Saturday March 29, 2008 @04:57PM (#22906996) Homepage Journal
    "The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple "Mac Shot First" headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

    "The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."

    10 Things to Remember About CanSecWest and Software Vulnerabilities [roughlydrafted.com]

Any given program, when running, is obsolete.

Working...