Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

What kind of exploit?

[Anonymous Coward]

Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"


It depends what kind of exploit that was.

Newsworthy?

[MisterFuRR]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

What did you expect?

[lilomar]

So Linux is more secure than Windows? What else is new?

Re:Newsworthy?

[call-me-kenneth]

Hint: script kiddies don't tend to have 0day in the real world.

Re:Popcorn anyone?

[call-me-kenneth]

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

1 day later.

[Lulfas]

Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.

I don't know about a religious platform war ....

[LaughingCoder]

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Re:Know this: no one uses linux on desktop, no sof

[ricegf]

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.

Re:1 day later.

[maskedbishounen]

Or rather, security through obscurity takes longer. Which is kind of the whole point.

Re:Popcorn anyone?

[SpzToid]

I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.

Know this: people use linux on desktop

[tomhudson]

Know this: no one uses linux on desktop

Really? So this must be some magical post I'm making ...

Second-rate software may appeal if it comes at no cost, but life is too short to waste and second-rate (at best) software wastes too much of it

I agree, which is why I don't "do" Windows.

I use linux at home, and linux + bsd at work.

My sister switched to an iMac, and "once you go mac, you never go back."

People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.

Re:Hierarchy of Desirable Laptops?

[Wavebreak]

No, trying to hack only the most desirable one would be dumb, seeing as how either of the other two are worth quite a bit on their own, and there's a rather substantial cash price in it for you as well. This gets repeated constantly, and people *still* bring the same goddamn stupid point up. No wonder you're posting as AC tbh.

Re:Know this: no one uses linux on desktop, no sof

[calebt3]

No-one uses Linux, and No-one is perfect. So we should try to follow in No-one's footsteps.

Re:Something is Fishy

[Rary]

This says absolutely nothing about Vista security.

Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

Re:Newsworthy?

[gbickford]

This small focus group of participators are not script kiddies. They publicly represent the people that do not want a public representation and do not want their unknown exploits exposed to the public eye for the mere price of a laptop or even a $10,000USD cash prize. The lurkers want bot nets and relay servers. The unseen want to be able to bend the entire internet. This information is only worth money if people do not know it.

The people that participate in this are like magicians selling their secrets at a bus stop.

This isn't like a McAfee vs Norton contest. The "the total end point security" which you reference is no where near contextual. This is a how much are black hats willing to give up for chump-change contest.

Re:Popcorn anyone?

[billcopc]

Proof that we're getting too old for Slashdot.

Get these n00bs off my lawn!

Re:I don't know about a religious platform war ...

[Fweeky]

It brings any machine to its knees as it consumes every available resource while rendering a simple document

Not seen that. I did try FoxIt Reader when I found a rather complex pdf of a world map of submarine optical fibre connections was rendered painfully slowly, but FoxIt was even slower. I upgraded to Adobe Reader 8, and now it's actually fairly smooth; something that'd take FoxIt or Adobe Reader 7 a good 3-10 seconds to render will take under a second and once drawn, scroll smoothly.

At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.

Re:Let me get this straight

[Divebus]

The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000

Cue the trolls: "See? Macs ARE more expensive!"

Re:Something is Fishy

[Anonymous Coward]

...only finally fell when the contest organizers modified the rules...

People in both CanSecWest threads have been saying this a lot, but it's not true. The only time they "modified" the rules was before the contest began--largely to increase the cash prizes. The tiered rules and prizes were planned in advance--it's not like they said, "gosh, nobody 0wned any of these machines yet--we better make things easier." When the contest started, the plan was three days with different rules/prizes on each day. Details [tippingpoint.com].

-JD

Re:Something is Fishy

[ThinkFr33ly]

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

See the following: background info [robertdowney.com], and most of this post [robertdowney.com] deals with UAC.

Re:Hey!

[morethanapapercert]

Errr. know of any site using Flash for something useful?*

*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars

Re:Something is Fishy

[david_thornley]

Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.

Re:Software sucks.

[Anonymous Coward]

What's so dumb about pointing out the pathetic state of software security and the incompetence of programmers?

Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?

I guess comments like yours explain exactly why our software sucks.

Re:Know this: no one uses linux on desktop, no sof

[surfi]

and it's not only people using linux at home, we use it in our company too. some people were not very enthusiastic with the move, but everything works better now and maintenance costs are A LOT lower. no wonder that governments and large enterprises around the world are switching to linux

Re:Popcorn anyone?

[Anonymous Coward]

It's been in there since the beginning of Vista. It's part of UAC.

Sandbagging?

[joetheappleguy]

Same 2 guys win by cracking the same platforms they won on last year.

I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.

Re:Something is Fishy

[recoiledsnake]

I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com

Contrast that to IE7 on Vista. Read this [msdn.com]. It's in part a implemtation of the Biba security model [wikipedia.org]. So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.

From the linked article:

Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door.

I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.

Re:1 day later.

[c_forq]

On the other hand Webkit http://www.webkit.org/ [webkit.org] is open source, and the Mac was exploited through Safari. So this same case could be used as an argument that open source is more easily/quickly exploited.

Re:Popcorn anyone?

[nuOpus]

What are you talking about? Browsers and their plugins have access to everything. Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. How is this limiting browser access to the temp directory? If a simple scriptlet can do that, its not like you say. Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. One could exploit that to create a faux driver and do malicious activity with it.

10 Things to Remember About CanSecWest

[DECS]

"The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple "Mac Shot First" headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

"The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."

10 Things to Remember About CanSecWest and Software Vulnerabilities [roughlydrafted.com]

Re:Newsworthy?

[try_anything]

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here).

Users follow the normal path of least resistance established by the platform. Users' first tendency is to use the apps that are installed by default, which means mostly open-source apps on Linux and closed-source apps on Windows. When an appropriate application isn't installed, consumer-targeted Linux distributions help steer users toward good open-source applications. Under Windows, you usually end up installing a closed-source application suggested by a web site. Windows application security depends not just on closed-source software but on users' ability to evaluate the credibility of web sites and spot spoofed web sites (like the ones used for phishing, but used for distributing malware instead). Under Linux, those skills are still important, but since the normal method of installing software is to download packages maintained by the distribution, users will be more likely to pay special attention when installing software from other sources.

In sum, what this means is that Windows systems depend heavily on closed-source software and the judgment of individual users, both of which are less secure than the community-oriented "more eyes" approach taken by open-source Linux distributions.

Re:What kind of exploit?

[Allador]

The interesting thing here is that if the Flash vuln was running on IE, it should have been ineffective against the OS, unless somehow the Flash executable somehow creates an escalation vulnerability in the OS (which obviously is silly).

I wonder if Flash was attacked via Firefox, or in some other fashion. Through IE, running as a non-admin and with the IE7 on Vista sandboxing, any vuln in flash should have been pretty useless in owning the OS.

I wish there were more details posted.

Also interesting that the folks who took down the Vista box said its a couple hours of work from this being effective against OSX and Linux as well.

Re:Popcorn anyone?

[Allador]

Actually, I'd say you've got it backwards.

On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.

But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.

Which makes me wonder if this attack was via Flash on Firefox, which would be much more vulnerable to this type of disclosure attack than Flash on IE (as long as the site wasnt in Trusted Sites on the IE).

Now mind you, some of the mandatory acccess control packages on linux systems can strongly mitigate this, much like IE7 on Vista. I cant say whether these would apply to Firefox, say, on a typical Linux distro though.

Re:Popcorn anyone?

[delire]

But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.

How then does a user of IE7 on this operating system - the owner of this completely pwn'd process - download files, save a browsing history or save bookmarks? To RAM? Do they "Accept or Deny?" on every visited website?

Didn't think so..

Re:Software sucks.

[robo_mojo]

While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.

Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.

Software will suck as long as speed is more important than correctness.