Flash flaw leads to Vista laptop's fall

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

TippingPoint's Aaron Portnoy, with Shane Macauley and Alexander Sotirov (left to right) take control of a Windows Vista laptop.

(Credit: TippingPoint)

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.

[Vegaman_Dan]

What does it mean?

"A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference."

There's several possible reasons for this:

A) Linux security was too tight
B) It's a Sony Vaio- nobody wanted it
C) No money for hacking it (the money was in the Apple and Vista systems, not Linux)

I'm not sure what the answer is there. Spin it how you want, it doesn't make a bit of difference in the end.

[summershoe]

Scratch option C

The money was the same for all the computers. Though the glory of hacking a mac might have been a little higher than the rest

[KTLA_knew]

Not OS security

All three operating systems stood up all day. It was Safari (Apple) and Flash (Adobe) that fell, not the laptop or OS makers.

[Hernys]

There ate many other possibilities:

4) there's more expertise in Windows security
5) there's more to be gained from hacking Windows
6) just dumb chance
7) as the machine (different from the Apple one) was hacked not through an OS vuln but through an app vuln, the fact that there are more "common" windows applications than Linux applications opened more doors
8) ...
I can think of a few more if I try. Which obviously you didn't.

[macrhino]

Security

http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-
reasons-why-cansecwest-targets-apple/

[RainCaster]

No money in Linux

Only the unemployed have the time or patience to deal with Linux. Since those users have no money, what is the point of breaking in to steal their PII?

[ewelch]

Microsoft sponsors the contest

'nuf said.

[The_Decider]

Yup

Funny how the most raped OS on the planet didn't get totally owned at a MS sponsored event. Yes, others sponsored it, but MS was the lead dog.

Funny how that works.

XP and Vista get owned thousands of times daily. Yet little here.

hmmm....

[NewsReader_]

More FUD

Microsoft is one of *many* sponsors, including Google, Cisco, and Adobe.

http://www.cansecwest.com/sponsors.html

Following your flawed logic, I suppose Adobe did not pay off the hackers enough since their software was the vector for the Vista attack.

[smokified]

nuf of your stupidity

Even if it were true, how does that mean that it is a biased contest?

[EcuadorHomesOnline]

Apple lost - Microsoft Won

So why don't the headlines say it? I'm SO tired of Cnet's biased reporting. Having a headline that says "Flash flaw leads to Vista Laptop's fall" is just is just bad reporting - it should say "Macintosh Computer hacked first day of contest". For years now, when someone's servers are comprimised, it's always mentioned in the article if it's a Windows based server. But the OS is never mentioned when it's a Unix/Linux based server (which is usually the case). Why are these reporters so biased?

[JuggerNaut]

Mac was not hacked on first day (none of the laptops were)!

Ummm... the Mac laptop was not hacked the first day and it was
due to a flaw found in an application, not the OS and involved as
well as required social engineering to make it happen, the same
thing that happened to the Windows laptop!

[macrhino]

Mac Lost?

http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-
reasons-why-cansecwest-targets-apple/

[Penguinisto]

Microsoft Lost - Linux Won.

I guess that if I ever get a MacBook Air, I'd best not buy the $30 ethernet adapter option and plug a crossover cable into it!

Oh, wait... Microsoft didn't win either - by your logic, Ubuntu did (which incidentally is a desktop distro, and rarely used as a server OS variant).

Maybe the headlines should read about how Linux won and Microsoft lost instead?

/P

[rpsanders]

As usual the slanted news appears here

We see the headline touting the fall of Vista. What we get a brief mention of is that the mac went down faster than a 2 dollar hooker. The same crew that penetrated the vista machine stated they could have penetrated the linux box, and showed the early exploit outline they had to do it. Their ACTUAL statement was that given the time left in the contest, it wasn't worth the effort for the prize to put the work into finalizing the code to penetrate the linux box.

So we see as usual here, Microsoft BAD, whisper something about Apple but not enough for anyone to think we're speaking ill of them, and tout the greatness of Linux!

If your going to report, at least try to show a pretext of journalistic integrity. This is exactly why MOST people do not consider bloggers journalists or even reliable.

[The_Decider]

The only thing slanted is you

There already was an article on CNET about the Mac hack.

[laynemoseley]

They did report it....

http://www.news.com/8301-13579_3-9905095-37.html?
part=rss&subj=news&tag=2547-1_3-0-5

they already reported the macbooks fall. And look at the title.
Macbook Air hacked in security contest. That doesn't look good
for apple...

[spreadsmile]

Get full details by reading this story-

http://www.cio.com/article/324313/With_Vista_Breached_Linux_Unbeaten_in_Hacking_Contest

[aemarques]

Oh, you mean THIS part of the story?

"Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest".
Or this one?
"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."
Hmmmm. I thought so...

[sal-magnone]

Do the research

You are reading too much FUD.

Check the Symmantec site and dig up their '07 report. They call Vista "possibly the most secure [commonly used] OS available".

ADOBE on the other hand seams to be on long running losing streak across the Flash and Acrobat product lines.

[pfrabott]

Adobe's fault

It's important to point out that Vista was "untouched" until the Adobe software was introduced. I would say this is an Adobe problem, not a Vista problem.

[AppleSuxLeo]

Apple ads lie as usual...

Lots of code base from 1969 not sorted out by Apple as well as Safari/QuickSand being Swiss-cheese.
Note:Vista/IE7 runs in sandboxed mode and was not hackable.Flash is an Adobe product.
Note: Latest news bashed Apple for not patching code promptly like MSFT does. Steve Jobs is a bald-faced and bald-headed liar.

[mreiher]

Get real!

Get a life! UGH!

P.S. Real world use... I have NEVER in 20 years of owning a Mac (I
have 5 of them now in my house) used ANY virus software and I
have NEVER had any problems or reinstalled my OS or restored
anything or had to wipe the drive clean and start over. I think
most Windows uses have to fess up to doing at least one of
those a year. I had one (an OS 9 Mac laptop) that I took with me
everywhere, internationally, and never even had a blip out of
that machine for seven years before I retired it. I'd say that's
impressive and shows the quality of Apple hardware.

[The_Decider]

LOL

What OS gets hacked in the real real thousands of times a day?

The code is not from 1969. Unix has been constantly updated. At least make your lies plausible.

[parksje]

Real Headline: Ubuntu Laptop Survives Crack Attempts

Funny how the fact that of the three systems tested, the one that withstood the attacks gets just one line at the bottom of the article.

Stop being chumps, people. Open source software works, it is free, and it is demonstrably more secure than the costly black-box systems like Windoze.

Think Linux is complicated? My nine-year-old just installed Ubuntu for my 74-year-old father-in-law, a man with no computer experience to speak of. The total installation time was about 25 minutes, and Ubuntu automatically detected all of his hardware, including an HP 3940 printer (and shared it!) all without any hitches or problems the first time through. My father-in-law is tickled at being able to just turn on his computer, have it boot up in 40 seconds, and just use his computer rather than spend his time dealing with problems and my son is happy that he doesn't have to spend his time fixing granddaddy's computer any more.

[pol;0987]

great for your kid and his grand daddy

but now lets have grand daddy install apps and use em, your daddy
know compile routines? the thing that is keeeping masses away
from linux is apps and ease of use, will itunes work for him? and
please lets not get all high n mighty about drivers, we know the
truth.

[baggyguy1218]

Ubuntu

Who cares man. The argument over Linux or Windows, I say, WHO CARES. I have used Ubuntu, it is at best good. It is usable, comparable and thats it. No one cares any more.

[Grzegorz_Z]

another "granny-did-not-noticed" cliche ?

> My nine-year-old just installed Ubuntu for my
> 74-year-old father-in-law, a man with no computer
> experience to speak of.

Ubuntu (and any Linux-based OS) is CLI-based system. There are hundreds of tasks which require "compiling" or do some commands. For example - to diagnose error messages of specific app (Azureus?) which displays error messages only when started from command line and simply disappearing when started by the click on the icon.

Recently I have to configure IrDA connection and Internet access by GSM phone - try to do in in Ubuntu WITHOUT command line.

What interest do you have in spreading lies ? GNU/Linux systems ARE difficult to maintain, much more difficult than Windows and still required toying with command line.

Are you run "Linux support company" and want more customers, who cannot do trivial maintenance task in that "1-click-systems" ?

Ubuntu and similar distros are great OSes, but saying that "everything is configurable in them by clicking" is simply act of misinformation and fraud.

[mahurshi]

I agree

>> Funny how the fact that of the three systems tested, the one that withstood the attacks gets just one line at the bottom of the article.

I absolutely agree with your statement which I pasted above.

mahurshi

[soggy0]

We have all wanted to use Linux...but...

...only now is it really ready for primetime on the desktop. So it's not that you are stating the obvious to the rest of us, it's only now that we can install it and it runs with out having to learn mget and all the other "scary" command line instructions...

~From a noob 'nix user via winbloze

[bxwatso]

ADOBE IS HORRIBLE

This is further evidence that Adobe just doesn't care about Windows, especially Vista.

1. No IE x64 Flash
2. Flash crashes Vista IE all the time
3. It took forever to get even a marginally OK Vista Flash
4. Acrobat still doesn't fully support the Vista UI

Adobe hates MS, it's clear, but the millions of Vista users will eventually go elsewhere for these solutions. Adobe doesn't have the market power to prevent Vista migrations forever.

[ss_Whiplash]

Adobe is the new Microsoft

In terms of being a slow, bloated company that is writing software
which is militant about licensing, insanely expensive, bloated, and
less user friendly with each release, Adobe is the new Microsoft.

[blackie8]

You're kidding right?

vista is the most bloated not-ready-for-prime-time malodorous fecal matter to hit code in a long time. I'm migrating from XP to Ubuntu. There is enough open source now that Microdick is starting to look like Bear Stearns or Delorean. Thanks for playing however.

[AppleSuxLeo]

Adobe makes crapware...

And that is exactly why Silverlight will "light" the way to the future. Silverlight is totally cross-platform , uses less CPU cycles , has a smaller footprint. Flash was a "flash-in-the-pan"

[laynemoseley]

another note

another note about the Macbook Air getting hacked...

It was only possible with user intervention. People that use macs
are stupid, and so in the real world the flaw doesn't matter...:)

So therefore macs are still better, always will be. Windows eats Mac
s*** for breakfast, and likes it.

[macrhino]

Oh Really?

http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-
reasons-why-cansecwest-targets-apple/

[macrhino]

Apple Add lie??

Nonsense
http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-
reasons-why-cansecwest-targets-apple/

[Lee in San Diego]

Yes EVERYBODY should read it

The Roughly Drafted article http://www.roughlydrafted.com/2008/03/31/thom-holwerda-of-
osnews-calls-?mac-shot-first?-misinformation-and-slander-
oops/

[spreadsmile]

both of them :)

both of them...:)

[Penguinisto]

Now just a second here...

...Adobe Flash is one of the very first things a user sticks on their machine, making it just as much of a web-based exploit as the one that popped the Mac.

QED: Vista is vulnerable.

...meanwhile, the Linux-based box remains (naturally) unscathed... :)

/P

[smokified]

moron

Flash is used on Macs too.

[FutureGuy]

yes moron

"In theory, the Flash vulnerability is cross-platform. In other words, the same hole might be used to crack Linux or other operating systems."

http://www.desktoplinux.com/news/NS2702127176.html

you read it right it from desktoplinux site, at least you can't say they have a pro Vista bias. Obviously no one can confirm that till the vulnarability is made public.

[mbryant32]

RE: Now Just a Second Here....

What about the MacBook? Why did it fall before Vista and Internet Explorer? I thought it was supposed to be the more secure option and Microsoft was all junk?!

[webdev511]

Vista x86 or x64?

and would that made a difference? Guess we'll find out when the flaw is finally revealed.

[kojacked]

Also ran...

...Linux

'nuf said on that subject.

[FutureGuy]

Linux also likely vulnerable to Flash flaw

"In theory, the Flash vulnerability is cross-platform. In other words, the same hole might be used to crack Linux or other operating systems."

http://www.desktoplinux.com/news/NS2702127176.html

its from desktoplinux site, at least one can't say they have a pro Vista bias. Obviously no one can confirm that till the vulnerability is made public.

[Penguinisto]

Theory vs. Practice

A 3rd-party app exploit has two stages: The app, and the underlying OS.

Desktop Linux states the possibility, but no actuality (and obviously it didn't break on the Ubuntu box, so...)

/P

[dinoegg#1]

if you have to ask

you'll never know

[kool_skatkat]

Should Apple drop Open Source?

if Open Source (webkit) makes apple less secure, should Apple drop all the Open Source they can afford too?

Would the same flaw affect Windows, Linux.. if yes, the research is using Apple's popularity to instead of pointing the blame where it should... Open Source?

Just questions....

http://www.flickr.com/photos/kool_skatkat/

[kool_skatkat]

No good researcher?

On their site, they've only got two things in 9 months to brag about. They both had to do with Safari. MMM... Gold-diggers ridding on Apple's success? Or who's paying them?

March 27, 2008
ISE wins Pwn to Own at CanSecWest by taking over a MacBook Air.

July 23, 2007
ISE discovers security vulnerabilities in the iPhone.