Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
Software sucks. (Score:5, Interesting)
Comment removed (Score:2, Interesting)
It is becoming more clear every day (Score:3, Interesting)
Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?
Re:Newsworthy? (Score:1, Interesting)
The aim of the contest was to read a specific file on the system. What I was wondering is what permissions that file had? Was it only readable by root? I'm assuming not, but if so what are default settings like in Vista (I've never used it)? Does it by default make the user not run as administrator? After all Linux's claim to be immune from malware stems from the idea that the user has such restricted access and if root is not required in this competition it's perhaps a realization that for a desktop user a lot of damage can still be done as only the user.
Obviously this will result in a lot of Microsoft and Apple bashing, and as a long time Linux fan I'm rather smug, but I think it's worth noting that Adobe Reader is cross platform so there is a chance that the vulnerability is not unique to Windows - it may not be Microsoft's fault at all.
To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here). Perhaps because most of Ubuntu's apps are open source more vulnerabilities are spotted by the good guys which would be especially important in a competition like this where 0day exploits are the aim?
On a positive note I think it's a good thing to note that the days of a clean install being exploited in a few minutes once connected to the internet seem to be fading.
Re:Newsworthy? (Score:5, Interesting)
And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.
Re:What kind of exploit? (Score:2, Interesting)
Or is 2.0.0.13 comparable in any way to Safari 3.1?
Security (is|as) a moving target....
Re:Something is Fishy (Score:2, Interesting)
You are wrong, I fear. The rules were that each OS had its default configuration. Check http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 [tippingpoint.com] for details. So, if the protected mode is turned on by default - it was turned on during the contest.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too.
And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?
Re:Something is Fishy (Score:2, Interesting)
This logic reminds me of the sysadmin where I work. She (not a typo) apparently doesn't know how to properly configure an Exchange server, so she's limited everybody's email boxes to 250 MB. Since I regularly have to deal with attachments -- large spreadsheets, presentations, csv lists, etc, and often have to go back months to find a specific mail to answer client questions, 250 MB is not sufficient.
I pointed all this out to her, as well as the fact that I haven't seen limits like this anywhere since the early 2000s. I also suggested, not seriously, that I should store all my mail on the unused part of my ipod, or autoforward it all to my gmail account.
Rather than seeing the absurdity, she responded that it was "not possible" to forward mail to gmail (or yahoo, hotmail, hushmail, etc) because she had set up rules preventing this. It took all of five minutes to set up a new gmail account and begin forwarding, complete with properly configured reply-to headers.
I sent her screenshots. She still says it's not possible because that's not how it's supposed to work.
The moral is that with most MS software, what it is supposed to do or not do has little bearing on what it will do when you know how to ask. Just because something should not happen -- e.g. your assumption that IE7 would not allow an exploit in its standard, protected mode, does not mean that it can't happen or won't happen.
It seems to me that the entire UAC model is little more than a bolt-on that does nothing to address the structural insecurity of Windows. It's like a house with an iron gate and stone wall along the street. But the wall only extends 15m in either direction. Walk around the wall and there's nothing. With *nix, you get a wall around the whole yard by default. Along with the option to put it a moat filled with sharks. With lasers strapped to their heads. Now that's the kind of 'fishy' poppa likes.
Re:Something is Fishy (Score:5, Interesting)
It is running as *me*, with my rights. Not for long now, though. Bye Flash.
Oh, and there's also an "Acrotray.exe" - from the same company. Guess what that does?
Re:Popcorn anyone? (Score:2, Interesting)
Not useless (Score:3, Interesting)
So the game has changed. The contest rules here have also changed, to reflect the new game. They built in the day-3 rule changes so that more exploits would be possible, to keep the contest interesting, knowing in advance that hacking the stock OS would be pretty hard.
It's not just the stock OS security that matters, it's the security of the entire stack, and the software ecosystem it lives in. Give Microsoft and Apple credit for improving their cores, but you can still say Ubuntu has a better stack and ecosystem, and point to the same reasons why: open source, community testing, heterogeneity.
Re:What kind of exploit? (Score:4, Interesting)
the fact that apple got cracked first, and presumably in a safari exploit shows that apple does not have the kind of security resources of either firefox (supported by aol, and google) or Microsoft can bring to a competition. Since the Microsoft vista system was taken out by an adobe vulnerability, and I often hear of adobe products having security holes, they might be in the same kind of boat as apple when it comes to releasing security patches.
Re:Something is Fishy (Score:3, Interesting)
The guy that took down Vista claims that the same exploit can be used on Linux and OSX, just requires a few more hours work.
Not proven yet, but possible.
Re:Popcorn anyone? (Score:3, Interesting)
That is, not a whole lot, as long as all you are trying to do is own the system or otherwise do malicious things to it. If you were a virus/trojan writer, would you ever hit yourself on the forehead saying, "Damn, this Administrator access isn't good enough. I need SYSTEM access to totally own this system"?*
The truth is, at least before Vista (I wouldn't know about Vista since I never used it), Windows' security model was broken. No security model where the default user (as pointed out by my sibling poster) runs as superuser ever is.
* On the other hand, if you are trying to install a rootkit, then you might need kernel-level access. But once you have superuser access, such things are fairly easy to do---modifying the kernel in memory may not be completely safe, but it's been done before.
Re:Popcorn anyone? (Score:4, Interesting)