Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

Software sucks.

[Anonymous Coward]

A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

Comment removed

[account_deleted]

Comment removed based on user account deletion

It is becoming more clear every day

[zappepcs]

that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows. (Car analogy) It's like seeing Kia in a road rally, sort of surprizing but after a couple of years competing people begin to just accept that they have the balls to keep it up and to compete.

Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?

Re:Newsworthy?

[Anonymous Coward]

I couldn't find answers to my questions on the links, although I'm probably not looking hard enough.

The aim of the contest was to read a specific file on the system. What I was wondering is what permissions that file had? Was it only readable by root? I'm assuming not, but if so what are default settings like in Vista (I've never used it)? Does it by default make the user not run as administrator? After all Linux's claim to be immune from malware stems from the idea that the user has such restricted access and if root is not required in this competition it's perhaps a realization that for a desktop user a lot of damage can still be done as only the user.

Obviously this will result in a lot of Microsoft and Apple bashing, and as a long time Linux fan I'm rather smug, but I think it's worth noting that Adobe Reader is cross platform so there is a chance that the vulnerability is not unique to Windows - it may not be Microsoft's fault at all.

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here). Perhaps because most of Ubuntu's apps are open source more vulnerabilities are spotted by the good guys which would be especially important in a competition like this where 0day exploits are the aim?

On a positive note I think it's a good thing to note that the days of a clean install being exploited in a few minutes once connected to the internet seem to be fading.

Re:Newsworthy?

[Henry V .009]

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

Re:What kind of exploit?

[brassman]

I find the timing odd, in that all my copies of Firefox updated themselves from 2.0.0.12 to .13 the day before the contest. Wonder what would have happened if the contest had been started two days sooner... or two days later, for that matter?

Or is 2.0.0.13 comparable in any way to Safari 3.1?

Security (is|as) a moving target....

Re:Something is Fishy

[Erikderzweite]

>If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

You are wrong, I fear. The rules were that each OS had its default configuration. Check http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 [tippingpoint.com] for details. So, if the protected mode is turned on by default - it was turned on during the contest.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too.

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

Re:Something is Fishy

[spisska]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

This logic reminds me of the sysadmin where I work. She (not a typo) apparently doesn't know how to properly configure an Exchange server, so she's limited everybody's email boxes to 250 MB. Since I regularly have to deal with attachments -- large spreadsheets, presentations, csv lists, etc, and often have to go back months to find a specific mail to answer client questions, 250 MB is not sufficient.

I pointed all this out to her, as well as the fact that I haven't seen limits like this anywhere since the early 2000s. I also suggested, not seriously, that I should store all my mail on the unused part of my ipod, or autoforward it all to my gmail account.

Rather than seeing the absurdity, she responded that it was "not possible" to forward mail to gmail (or yahoo, hotmail, hushmail, etc) because she had set up rules preventing this. It took all of five minutes to set up a new gmail account and begin forwarding, complete with properly configured reply-to headers.

I sent her screenshots. She still says it's not possible because that's not how it's supposed to work.

The moral is that with most MS software, what it is supposed to do or not do has little bearing on what it will do when you know how to ask. Just because something should not happen -- e.g. your assumption that IE7 would not allow an exploit in its standard, protected mode, does not mean that it can't happen or won't happen.

It seems to me that the entire UAC model is little more than a bolt-on that does nothing to address the structural insecurity of Windows. It's like a house with an iron gate and stone wall along the street. But the wall only extends 15m in either direction. Walk around the wall and there's nothing. With *nix, you get a wall around the whole yard by default. Along with the option to put it a moat filled with sharks. With lasers strapped to their heads. Now that's the kind of 'fishy' poppa likes.

Re:Something is Fishy

[benjymouse]

I just wanted to add this: On my Vista x64 I have a service called "FlashUtil9e.exe - Adobe Flash Player Helper 9.0 r115". That's the broker process.

It is running as *me*, with my rights. Not for long now, though. Bye Flash.

Oh, and there's also an "Acrotray.exe" - from the same company. Guess what that does?

Re:Popcorn anyone?

[catmistake]

Like I keep saying, Adobe is the new Microsoft. I call Flash the third great scourge of the internets, after spam and malware/virii. Flash needs to be reigned in before it turns every site into a blinking, broken monstrocity. I'm rooting for our hero Ajax to qwell the desire to over use such ugly, proprietary technology. I'd rather view unformatted txt pages than give up processor cycles to this decadent and invasive POS.

Not useless

[xant]

It's not useless. It just shows that things are improving at the OS level. I'm not surprised by this.. XP SP2 was a pretty substantial step in this direction, and OS X has made substantial strides as well (not that anybody's noticing). Seems like Vista did in fact improve in this area as well. So yes, if you're talking about the kernel and the stock OS, it's getting harder to compare security, because they are all much more secure than they ever were before.

So the game has changed. The contest rules here have also changed, to reflect the new game. They built in the day-3 rule changes so that more exploits would be possible, to keep the contest interesting, knowing in advance that hacking the stock OS would be pretty hard.

It's not just the stock OS security that matters, it's the security of the entire stack, and the software ecosystem it lives in. Give Microsoft and Apple credit for improving their cores, but you can still say Ubuntu has a better stack and ecosystem, and point to the same reasons why: open source, community testing, heterogeneity.

Re:What kind of exploit?

[kesuki]

well, firefox updating the day before a hacking contest would indeed make the ubuntu platform (the only one where firefox is default) the most secure, but one would think that if firefox is going to play that way, that Microsoft would release any patches they had in development the day before too, to be on the same playing field.

the fact that apple got cracked first, and presumably in a safari exploit shows that apple does not have the kind of security resources of either firefox (supported by aol, and google) or Microsoft can bring to a competition. Since the Microsoft vista system was taken out by an adobe vulnerability, and I often hear of adobe products having security holes, they might be in the same kind of boat as apple when it comes to releasing security patches.

Re:Something is Fishy

[Allador]

Maybe, maybe not.

The guy that took down Vista claims that the same exploit can be used on Linux and OSX, just requires a few more hours work.

Not proven yet, but possible.

Re:Popcorn anyone?

[novakyu]

Firstly, because SYSTEM and Administrator have different privilege levels.

To me, that makes as much difference as between kernel-level access and userland access.

That is, not a whole lot, as long as all you are trying to do is own the system or otherwise do malicious things to it. If you were a virus/trojan writer, would you ever hit yourself on the forehead saying, "Damn, this Administrator access isn't good enough. I need SYSTEM access to totally own this system"?*

The truth is, at least before Vista (I wouldn't know about Vista since I never used it), Windows' security model was broken. No security model where the default user (as pointed out by my sibling poster) runs as superuser ever is.

* On the other hand, if you are trying to install a rootkit, then you might need kernel-level access. But once you have superuser access, such things are fairly easy to do---modifying the kernel in memory may not be completely safe, but it's been done before.

Re:Popcorn anyone?

[xenocide2]

As an option, but not by default. As I understand it, someone asked why SELinux wasn't in Ubuntu, and when told "nobody wants to do the work", they went and did it. [outflux.net]