Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

What kind of exploit?

Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"


It depends what kind of exploit that was.

Re:What kind of exploit?

[brassman]

I find the timing odd, in that all my copies of Firefox updated themselves from 2.0.0.12 to .13 the day before the contest. Wonder what would have happened if the contest had been started two days sooner... or two days later, for that matter?

Or is 2.0.0.13 comparable in any way to Safari 3.1?

Security (is|as) a moving target....

Re:What kind of exploit?

[kesuki]

well, firefox updating the day before a hacking contest would indeed make the ubuntu platform (the only one where firefox is default) the most secure, but one would think that if firefox is going to play that way, that Microsoft would release any patches they had in development the day before too, to be on the same playing field.

the fact that apple got cracked first, and presumably in a safari exploit shows that apple does not have the kind of security resources of either firefox (supported by aol, and google) or Microsoft can bring to a competition. Since the Microsoft vista system was taken out by an adobe vulnerability, and I often hear of adobe products having security holes, they might be in the same kind of boat as apple when it comes to releasing security patches.

Re:What kind of exploit?

[kesuki]

I realize this is slashdot, so for those who didn't read TFA the contest was to in a 30 minute attack slot, read the contents of a specific file, in a specific folder. each day different exploits could be tested, but only popular software that is normally installed counted.

day one were pure network attacks nobody got in on day one. day 2 was email and url based attacks. only the mac got won on day 2. on day 3 you could add non default but popular software from a list (couldn't find the list anywhere on the net, sigh) and adobe flash was vulnerable, so the vista machine got taken.

Ubuntu held up for all 3 days, but because only popular and default software could be added, this could bring a false sense of security. there are many ways to 'design' a supposedly open source software package on say, sourceforge.net but to have a compromised binary that was made with slightly altered source code... to get a trojan on a linux system. repositories tend to be fairly well monitored, but there have been times where applications that are trojans have gotten into widely used repositories. as far as i can tell, sourceforge has no real method for testing if software contains trojans or not, so it's purely up to the community that uses sourceforge to report bad software, etc. i imagine that freshmeat is the same, and many many linux users use sourceforge or freshmeat to find specific linux applications they need or want...

maybe there aren't enough linux users yet to make this a huge issue, but with Microsoft's brand image going south (kinda the way IBMs did in the 90s) linux is sure to be finding more and more people who would rather deal with OSS than with bill gates.

Re:What kind of exploit?

[Allador]

The interesting thing here is that if the Flash vuln was running on IE, it should have been ineffective against the OS, unless somehow the Flash executable somehow creates an escalation vulnerability in the OS (which obviously is silly).

I wonder if Flash was attacked via Firefox, or in some other fashion. Through IE, running as a non-admin and with the IE7 on Vista sandboxing, any vuln in flash should have been pretty useless in owning the OS.

I wish there were more details posted.

Also interesting that the folks who took down the Vista box said its a couple hours of work from this being effective against OSX and Linux as well.

Re:What kind of exploit?

[Allador]

the contest was to in a 30 minute attack slot, read the contents of a specific file, in a specific folder. It's so frustrating that more information isnt provided.

Reading the contents of a file in a folder can range from very difficult to very easy, depending on the details.

If its a file in the browser cache folder that the browser and anything running through the browser has access to, then its a fairly meaningless contest.

If its a file in the users profile somewhere that the desktop user has access to, but most typical apps (browser, etc) wont have access to normally, then thats slightly more difficult.

If its a file in a folder where the file system acl's deny read to the user on the desktop, then thats a much, much harder attack scenario than the others.

Re:What kind of exploit?

i was frustrated that the list of software they could add on day 3 wasn't online so yeah, they really did skimp on the details...

Popcorn anyone?

[cizoozic]

How's that for fueling religious platform wars? Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!

Re:Popcorn anyone?

[garett_spencley]

"Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

What kind ?

And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!

Re:Popcorn anyone?

[nofrak]

To celebrate the winner, may I suggest free beer?

Re:Popcorn anyone?

[MT628496]

Make mine a Guinness :)

Re:Popcorn anyone?

[call-me-kenneth]

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

Re:Popcorn anyone?

[tzot]

(What kind of beer?) And if you say a light North American lager [snip]

He said he'd bring the beers, not that he would make love in a canoe ;)

Re:Popcorn anyone?

[MikeDX]

How on earth is this offtopic?

The Monty Python joke goes along the lines of, "This lager is like making love in a canoe - it's fucking close to water"

Re:Popcorn anyone?

[SpzToid]

I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.

Re:Popcorn anyone?

[X0563511]

Suggested tag: attackofthetrolls
or... whentrollsattack

Re:Popcorn anyone?

[Zero__Kelvin]

"What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"

It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."

Re:Popcorn anyone?

[popmaker]

I'll make the popcorn!

Re:Popcorn anyone?

Sorry to disappoint you, there will be no flamewar because after this everybody knows that Umbongo is the best desktop OS, period.

Re:Popcorn anyone?

[billcopc]

Proof that we're getting too old for Slashdot.

Get these n00bs off my lawn!

Re:Popcorn anyone?

[CastrTroy]

Guinness FTW.

Re:Popcorn anyone?

[domatic]

Ubuntu 8.04 will include AppArmor by default. I don't how much of a difference it will make in a pressure cooker like a hacking competition though.

Re:Popcorn anyone?

[phantomfive]

There's no religious war here. Ubuntu is clearly the best.

Re:Popcorn anyone?

[Foofoobar]

Well on Windows, sandboxing of permissions is different. There might still be the exploit but the level of vulnerability would most likely be higher on a Windows system as a result of IE running at a SYSTEM level permission rather than a USER level like in Mac or Linux. Change to a different browser like Firefox on Windows and you will be safer.

Re:Popcorn anyone?

[Almahtar]

It comes IN PINTS?! imgettingone.

Re:Popcorn anyone?

[Almahtar]

No. You make the pop. That is your role, and you will accept it.

Re:Popcorn anyone?

[VertigoAce]

Actually, IE on Vista runs with fewer permissions then a normal User account by default. It runs as a low-integrity process. This means that it loses access to most of the user's files (it has access to things like the temp directory for storing cookies, cache, etc.). See MSDN for details.

Re:Popcorn anyone?

[Vectronic]

Im not sure if there is a posting of rules, or what those rules may be...(such as that the user can only use the default browser the OS comes with) but reading the blog, it doesnt specifiy what browser the Vista machine was running at the time...

And, what about browsers inside applications?... such as WinAmp, or XMP... or various pre-packaged media players (and assorted) that come with HP's, Dells, etc... yes the blame falls on Vista's (or at least 'suggested' IE) shoulders... but, i'll wait to see if this is Vista/IE Only... and Adobe/Macromedia/Flash deserves a smack aswell...

P.S. although Vista is rather sluggish/glitchy in some ways, I dont hate it (yet) atleast not on my hardware/configurations...

Re:Popcorn anyone?

[catmistake]

Like I keep saying, Adobe is the new Microsoft. I call Flash the third great scourge of the internets, after spam and malware/virii. Flash needs to be reigned in before it turns every site into a blinking, broken monstrocity. I'm rooting for our hero Ajax to qwell the desire to over use such ugly, proprietary technology. I'd rather view unformatted txt pages than give up processor cycles to this decadent and invasive POS.

Re:Popcorn anyone?

[Foofoobar]

This must have changed recently in Vista. Glad to see they learned their lesson.

Re:Popcorn anyone?

It's been in there since the beginning of Vista. It's part of UAC.

Re:Popcorn anyone?

[Cheerio+Boy]

Proof that we're getting too old for Slashdot. Get these n00bs off my lawn! You must be new here.

Re:Popcorn anyone?

[Larry+Lightbulb]

Do they make it in the Congo?

Re:Popcorn anyone?

[dpilot]

Clearly the way to rein in Flash is with Silverlight, then.

This thread IS for religious wars, isn't it?

Re:Popcorn anyone?

[YaroMan86]

Actually, AppArmor was included by default in 7.10.

Re:Popcorn anyone?

[HappySmileMan]

No idea where the hell you are but ALL berr/cider/lager comes in pints over here (Ireland), unless I'm missing some joke.

Re:Popcorn anyone?

[doxology]

8.04 will include SELinux, I think... AppArmor is already available afaict.

Re:Popcorn anyone?

[drsmithy]

Well on Windows, sandboxing of permissions is different. There might still be the exploit but the level of vulnerability would most likely be higher on a Windows system as a result of IE running at a SYSTEM level permission rather than a USER level like in Mac or Linux. Change to a different browser like Firefox on Windows and you will be safer.

IE does not, and never has, run as SYSTEM. Prior to Vista it runs as the user who starts it. In Vista it runs with privileges lower than a regular user.

I realise Slashdot is as anti-Microsoft as they come, but it's still surprising to see the same FUD about IE still being spewed 10+ years after it was shown to be false.

Re:Popcorn anyone?

[drsmithy]

This must have changed recently in Vista. Glad to see they learned their lesson.

No, it hasn't changed because it was never true.

Re:Popcorn anyone?

[DAldredge]

Well the opensource would was unable to come up with a better product so Microsoft had to.

Re:Popcorn anyone?

[catmistake]

No, no, no, dude. Its the same and its worse. Silverlight is merely another Microsoft attempt to lock users into proprietary software. If Silverlight had the install base that Flash has, Microsoft would cease supporting Silverlight on any browser/server but theirs. Web pages are for viewing html. Why not make your own WWW, that browses with Flash, or Silverlight or whatever, and leave the WWW alone?

Re:Popcorn anyone?

Most beer comes in 12 oz. cans in the US.

Which sucks, why does the one thing that we Americans have a smaller serving size for have to be beer?

Re:Popcorn anyone?

[HappySmileMan]

We get cans as well but if you ask for a drink in a pub they'll give you a pint poured from the tap, I'd assume it's same over there

Re:Popcorn anyone?

[dpilot]

Whoooosh.

I didn't think a sarcasm emoticon was necessary.

Re:Popcorn anyone?

[ConceptJunkie]

N00bs indeed. Now leave me alone while I play ADVENT, read DECwars, and hang up my ASCII Snoopy calendars.

Re:Popcorn anyone?

[theArtificial]

It's a reference to Lord of the Rings.

Re:Popcorn anyone?

[nuOpus]

What are you talking about? Browsers and their plugins have access to everything. Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. How is this limiting browser access to the temp directory? If a simple scriptlet can do that, its not like you say. Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. One could exploit that to create a faux driver and do malicious activity with it.

Re:Popcorn anyone?

[novakyu]

IE does not, and never has, run as SYSTEM. Prior to Vista it runs as the user who starts it. In Vista it runs with privileges lower than a regular user. So, prior to Vista, when it ran as the user who starts it, given that over 90% of the cases the default user has complete and unlimited access to the system files, how is running as user different from running as SYSTEM? (And, yes, I pull that "90%" figure out of my arse---but I'll bet it's higher.)

Re:Popcorn anyone?

[canuck57]

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day?

I don't know the details, when released there will be some good write ups on this.

But the flash player might be vulnerable in all 3 is definitely possible. The difference though is in how UNIX/linux would have a clear process separation between the flash process, the user application and the operating system which in MS-Windows is not so. It could be as simple as the browser too, say chrooting the flash player - so what if you crash it or break into nothing. You need to Pwn20wn it.

In any case, they found a way to avoid Cancel/Allow and Pwn20wn they went.

Re:Popcorn anyone?

[canuck57]

I realise Slashdot is as anti-Microsoft as they come, but it's still surprising to see the same FUD about IE still being spewed 10+ years after it was shown to be false.

Oh MS one, then how did they bypass Cancel/Allow or Continue/Cancel?

Re:Popcorn anyone?

[recoiledsnake]

Maybe by using a different browser like Firefox? Those prompts come up only with IE7 protected mode or user processes requesting admin privileges.

Re:Popcorn anyone?

[drsmithy]

So, prior to Vista, when it ran as the user who starts it, given that over 90% of the cases the default user has complete and unlimited access to the system files, how is running as user different from running as SYSTEM? (And, yes, I pull that "90%" figure out of my arse---but I'll bet it's higher.)

Firstly, because SYSTEM and Administrator have different privilege levels.

Secondly, because there is a vast gulf of difference between the statements "IE runs as SYSTEM" and "IE runs as the user, which is sometimes Administrator, and I think that Administrator and SYSTEM are the same". One is a (serious) architectural problem, the other is an end-user configuration problem. Trying to say they are equivalent is at best ignorance and at worst lying.

Finally, while most home systems would certainly be running users as Administrator, most managed corporate systems would not. 90% is a ridiculous over-estimate of how many XP systems only have "Administrator" users.

Re:Popcorn anyone?

[drsmithy]

Oh MS one, then how did they bypass Cancel/Allow or Continue/Cancel?

What ?

Re:Popcorn anyone?

[VertigoAce]

Sorry about that, I should have said IE (and it's plugins) have read-only access to files. You would find that a plugin will get access denied errors if it tries to modify or add any new files. This means that a bug in a plug-in, such as the one found in Adobe Flash at this contest, can't be used to store a malicious program on your system and trick you into running it as admin (say by using the icon and name of a file that you typically run as Admin, such as regedit and placing a shortcut to it in your Start Menu).

In other words a security vulnerability in IE or a plugin will result in read-only access to files that the user has access to. For most programs, a security vulnerability results in full access to all files that the user has access to (if the user can write to it, the attacker can write to it). Obviously the security vulnerability is a problem in either case, but in many situations an attacker can do far more damage by modifying files (such as the example above for gaining admin access at a later point in time).

Re:Popcorn anyone?

[c.r.o.c.o]

Firstly, because SYSTEM and Administrator have different privilege levels.

Both are equally capable of hosing the system, therefore almost as dangerous. From this point of view you're really just splitting hairs.

Secondly, because there is a vast gulf of difference between the statements "IE runs as SYSTEM" and "IE runs as the user, which is sometimes Administrator, and I think that Administrator and SYSTEM are the same". One is a (serious) architectural problem, the other is an end-user configuration problem. Trying to say they are equivalent is at best ignorance and at worst lying.

Finally, while most home systems would certainly be running users as Administrator, most managed corporate systems would not. 90% is a ridiculous over-estimate of how many XP systems only have "Administrator" users.

I've installed dozens of XP systems over the years, and every single time the default setting is to create a user account with Administrator privileges. Even computers that are preinstalled by OEMs have those same settings. As far as I'm concerned, that IS an architectural problem. You simply cannot expect end users to go beyond the default choices MS made.

The assumption that corporation systems do not run users with Administrator privileges doesn't change the situation for two reasons. First not ALL corporations manage their systems properly. Second, the vast majority of XP installs are on consumer systems. And THOSE are the ones targeted by malware, virii, etc.

Re:Popcorn anyone?

[Allador]

Actually, I'd say you've got it backwards.

On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.

But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.

Which makes me wonder if this attack was via Flash on Firefox, which would be much more vulnerable to this type of disclosure attack than Flash on IE (as long as the site wasnt in Trusted Sites on the IE).

Now mind you, some of the mandatory acccess control packages on linux systems can strongly mitigate this, much like IE7 on Vista. I cant say whether these would apply to Firefox, say, on a typical Linux distro though.

Re:Popcorn anyone?

[Allador]

Dude, where do you get your information? Your whole post is based on completely inaccurate information.

IE has NEVER run as SYSTEM on any NT based version of Windows. Suggesting otherwise is just flat making crap up.

IE or Firefox on WinXP run as the user account of the user who launches it.

IE7 on Vista is much better protected, as it runs as a user account with al the security tokens stripped, so basically has zero perms to read or write to the file system, other than a very small number of cache locations.

I know its the trendy thing to do here on /. to buy into the groupthink and swallow whatever crap Twitter tells you, but thats just nonsense.

Re:Popcorn anyone?

[Allador]

The level of ignorance about the technical underpinnings of Windows on /. is appalling.

Browsers and their plugins have access to everything. Incorrect. Browsers and their plugins have access to whatever security account they are being run as. Typically thats a non-priv'd user using the desktop. This means read access to most of the OS and write access to their profile area and some common temp areas. Pretty much like any other mainstream OS in fact.

Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. Thats because YOU (ie, the account of the person who launched the browser) has access to read most of the file system. Note that this isnt some magical ActiveX control that is installed by the browser. A file-browser with upload capability is built into every browser.

If a simple scriptlet can do that, its not like you say. This isnt the behavior of a scriptlet, its functionality built into the browser.

Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. Again, only if you have permission to install that printer in the first place. This is no different than the 'click n print' functionality you use all the time in a domain. Type \\servername\ into explorer, then double click one of the printers there.

And this only works if the server in question is in your Trusted Sites or Intranet Sites in IE.

Non-admin users installing printer drivers is something that is controllable via AD and Group Policy. If you set it, it loosens up acls and privs in a very specific and limited part of the system that lets non-admin users install printers.

This isnt rocket science or magic.

One could exploit that to create a faux driver and do malicious activity with it. Only if several things line up together:

1. The server who hosts this printer driver is in your IE's Trusted Locations or Intranet Locations.

2. The configuration to let non-admin users install printer drivers is set on your machine.

3. There is a hole big enough within the security loosening from #2 to do anything interesting with to own the OS.

Re:Popcorn anyone?

[delire]

But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.

How then does a user of IE7 on this operating system - the owner of this completely pwn'd process - download files, save a browsing history or save bookmarks? To RAM? Do they "Accept or Deny?" on every visited website?

Didn't think so..

Re:Popcorn anyone?

[HiThere]

I think that's actually a pretty good approach, and one that I have long supported.

Well, what I want is a slight variation. I want to be able to do things like:
          su network -c "firefox"
where network is the user name of the account. Unfortunately, if I try that I get:
          Xlib: connection to ":0.0" refused by server
          Xlib: No protocol specified

          (firefox-bin:20368): Gtk-WARNING **: cannot open display: :0.0

I realize that this only makes sense on a machine that's essentially used by only one person, but that describes my computer, and also *most* Linux systems these days.

Anyway, if this worked, then a local browser(or other isolated application) exploit couldn't damage anything but the particular files used by the application that had THAT user id. The problem appears to be in XWindow, but my attempts to configure XHost didn't allow an altered user ID to open a GUI window. (They can do most anything else, though. Perhaps there's a good reason why this isn't allowed.)

Re:Popcorn anyone?

[Allador]

Well how about instead of making silly statements like this, you go read the documentation on IE7 protected mode. It quite thoroughly answers your question.

I'll even be nice and give you some of the information.

There are special cache locations in the registry and user profile called 'Low' that are the only places readable/writeable by IE7 in protected mode.

I did mis-speak in one sense in my post .... protected mode primarily restricts the browser process from WRITING to almost everywhere. I dont believe it restricts reading any more than the regular user account that its run under has rights to.

Re:Popcorn anyone?

[Allador]

I believe you can effectively do this on linux in one of a couple ways:

setuid/seteuid

and I think the AppArmor and SELinux gives you some abilities in this area.

Not my area of expertise however, so cant say definitively.

Apparently though, after reading this post I think Flash sets up something that effectively disables Protected Mode in IE7 for it. Which is quite irritating.

You can parent up a few times to see the context.

Re:Popcorn anyone?

[HiThere]

The problem with setuid/seteuid is that they need to be issued at program edit time rather than at run time.

What I want is to change the user id (and options) of an application at invocation time to be something that was not predictable at an earlier time. And isn't predictably the same on all systems. Also I want all files created by the application to be created with the specified UID and in the home directory of the specified user. And for the application to only be able to read files in that directory.

I think that something like this could be managed with SELinux, but that's really heavy-weight overkill for what I'm after (so I haven't investigated).

I can already do this with non-gui applications, so that's the main part of the work already done. But I don't know *why* I can't do this with GUI applications. And there may be a good reason, so I don't want to push.

Re:Popcorn anyone?

[novakyu]

Firstly, because SYSTEM and Administrator have different privilege levels. To me, that makes as much difference as between kernel-level access and userland access.

That is, not a whole lot, as long as all you are trying to do is own the system or otherwise do malicious things to it. If you were a virus/trojan writer, would you ever hit yourself on the forehead saying, "Damn, this Administrator access isn't good enough. I need SYSTEM access to totally own this system"?*

The truth is, at least before Vista (I wouldn't know about Vista since I never used it), Windows' security model was broken. No security model where the default user (as pointed out by my sibling poster) runs as superuser ever is.

* On the other hand, if you are trying to install a rootkit, then you might need kernel-level access. But once you have superuser access, such things are fairly easy to do---modifying the kernel in memory may not be completely safe, but it's been done before.

Re:Popcorn anyone?

[drsmithy]

That is, not a whole lot, as long as all you are trying to do is own the system or otherwise do malicious things to it. If you were a virus/trojan writer, would you ever hit yourself on the forehead saying, "Damn, this Administrator access isn't good enough. I need SYSTEM access to totally own this system"?*

How unsurprising that everyone is focusing solely on the insignificant issue of the differences between SYSTEM and Administrator and completely ignoring the _important_ point that IE runs *as the user* not as SYSTEM.

The truth is, at least before Vista (I wouldn't know about Vista since I never used it), Windows' security model was broken.

No, it wasn't. Vista and Windows (NT) <Vista have the same security model. They have different interfaces to it, and Vista has more extensive hackery to fool poorly-written applications into working with it, but the security _model_ is the same.

No security model where the default user (as pointed out by my sibling poster) runs as superuser ever is.

Firstly, Windows doesn't have the concept of a 'superuser'. All user accounts are subject to ACLs (unlike "classic" UNIX).
Secondly, have a default user as admin is a (minor) configuration semantic (and one that isn't even present when the machine is part of a Domain). It says nothing about the security model. Logging into a Linux system as root vs a regular user (or, for perhaps a better example, a user in the 'wheel' group vs a user who isn't) does _nothing_ to change the security model. All it does is change what you are allowed to do.

The difference between Vista and earlier versions is basically the same as the difference between older Linux distros that didn't automatically pop up graphical sudo prompts and newer distros that do. While there's a bit more sleight of hand going on behind the scenes in Vista to pander to broken applications, the fundamental security architecture is the same in Vista as it was in Windows NT 3.1, 15-odd years ago (and it is far superior to "classic" UNIX).

Re:Popcorn anyone?

[mollymoo]

Why would they need to? They only needed to read a file to win the competition and every OS is pretty permissive about reading files. It's not like they had to install a rootkit.

Re:Popcorn anyone?

[xenocide2]

As an option, but not by default. As I understand it, someone asked why SELinux wasn't in Ubuntu, and when told "nobody wants to do the work", they went and did it.

Re:Popcorn anyone?

[xenocide2]

If you could drop Firefox to "nobody", would that be less secure than a random non-priveledged user?

Re:Popcorn anyone?

[jcast]

But I don't know *why* I can't do this with GUI applications. And there may be a good reason, so I don't want to push.

Permitting a program to connect to the X server is a pretty big statement of trust, since it has to have at least the same level of permissions the window manager does. So it's fairly carefully controlled. There are ways of making su work, which hail from back when you used telnet to do remote login and your GUI apps connected directly back to a public TCP/IP port on your terminal to get at the X server, but they're obsolete. These days, the fastest way to do what you want is to substitute ssh for su.

Re:Popcorn anyone?

[Ash-Fox]

I don't think the FOSS community is into making closed source website annoyances.

Re:Popcorn anyone?

http://www.mono-project.com/Moonlight

Re:Popcorn anyone?

[Ash-Fox]

http://www.mono-project.com/Moonlight

Nope, not a closed source website annoyance.

Re:Popcorn anyone?

[mabinogi]

unless I'm missing some joke. You are - it's a quote from the Peter Jackson version of Fellowship of the Ring, in the scene at the Prancing Pony.

Re:Popcorn anyone?

[reiisi]

Vista and Windows (NT) <Vista have the same security model.

So that's why?

Re:Popcorn anyone?

[MobyDisk]

Finally, while most home systems would certainly be running users as Administrator, most managed corporate systems would not. 90% is a ridiculous over-estimate of how many XP systems only have "Administrator" users. Not true. Even today, there is a plethora of Windows applications that require you to run as administrator. That's why Vista has "adminsitrator" and "administrator, but constantly prompt for for stuff." However, most managed corporate systems would not have the user running as a Domain Administrator. But they still have enough access to screw-up their own PC, and all th network shares that they probably have write-access to.

Re:Popcorn anyone?

[drsmithy]

Not true. Even today, there is a plethora of Windows applications that require you to run as administrator.

Proportionally, the list is tiny.

That's why Vista has "adminsitrator" and "administrator, but constantly prompt for for stuff."

No, it has that for the same reason all the other contemporary multiuser platforms have the same concept - security.

However, most managed corporate systems would not have the user running as a Domain Administrator. But they still have enough access to screw-up their own PC, and all th network shares that they probably have write-access to.

Having worked in several places where the IT infrastructure was an utter shambles but the average user still didn't have local Administrator privileges on their PC, I'm going to have to call bollocks. One of the primary things IT departments like to do is lock down local machines to stop people installing their own crap, which essentially requires not allowing Administrator access. Even the most mediocre IT department will attempt Run-As-Administrator shortcuts or modifications to Registry and filesystem permissions to get specific programs running long before they grant across-the-board Administrator privileges to normal end users.

I'm also struggling to see how this is any different to other platforms, particularly the "you can modify anything you have write privileges for" problem.

In short, I wouldn't hesistate for a second in claiming the majority of managed PCs do not allow unsupervised Administrator privileges to local users. Nor would I hesitate in claiming this accounted for >10% of Windows PCs out there.

Re:Popcorn anyone?

[HiThere]

Interesting. I'd never even *thought* of ssh'ing to myself.

OTOH, I'm not certain that's the real answer. I can su to another user, but when as the other user I try to execute firefox it says:

(firefox-bin:21096): Gtk-WARNING **: cannot open display:

Since I'm at that point, as far as I can tell, logged in as that user, and since that user can open GUI's when logged in as himself...It looks more as if X Window won't start up twice (reasonable).

OK, Just tried:
ssh user@localhost firefox

after establishing that localhost was, indeed, a valid host I got
(firefox-bin:21136): Gtk-WARNING **: cannot open display:

So that's not the answer.

Re:Popcorn anyone?

[jcast]

Does X work when you ssh remotely? I suspect you forgot the -X flag.

Re:Popcorn anyone?

[glittalogik]

So do elephants. Are you getting one of them too?

Re:Popcorn anyone?

[Random+Walk]

Read the manpage of 'xauth'. It even contains (wonder of all wonders - at least with manpages) an example, which should give you an idea how to write a simple script that will do what you want.

Re:Popcorn anyone?

[MobyDisk]

No, it has that for the same reason all the other contemporary multiuser platforms have the same concept - security. I'm not aware of any other system that does this. Everything I've used has administrators, and non-administrators. But not administrators who are only administrators after a secured process has displayed a particular dialog box. In Vista, if I have UAC on and open a command prompt and run WHOAMI it reports that I am "mobydisk." If I then run the command prompt "as administrator and do a whois -- I'm still "mobydisk". Compare that to Linux: suppose I do something in the control panel and it prompts me for the admin password. Before that I am "mobydisk" and after the prompt I am "root." Vista is the only thing I know of where before and after the user is still "mobydisk"

Maybe OS X does this? Does any other *nix do this?

bollocks me, I bollocks you back. :) There is only one place I've ever worked or attended where I was not local administrator. That was UMBC, and they were even doing that back in Windows 95 using some 3rd-party security tools. Every other place runs users as administrator. As for that miniscule list, try Quicken, Quickbooks, and every video game ever made. I've tried to get my family members to use non-admin users for years, and even my attempts in 2007 were thwarted by foolish apps. It is my understanding that Vista has specific workarounds for these apps. Kinda like a list of "Oh, if QB.EXE is running, let it write files with .qdb extensions to C:\Program Files" and stuff like that. Yes, you don't run Quicken or video games in a corporation, but from my home-use experience, it is really the majority of applications that don't work as limited users.

In short, I wouldn't hesistate for a second in claiming the majority of managed PCs do not allow unsupervised Administrator privileges to local users. In short, there are only 2 computers I've ever used that were setup this way: One is the computers at my university, and 2 is my own local desktop. I even get funny looks from people when they find my Windows XP is not running as admin.

Re:Popcorn anyone?

[drsmithy]

I'm not aware of any other system that does this. Everything I've used has administrators, and non-administrators. But not administrators who are only administrators after a secured process has displayed a particular dialog box. In Vista, if I have UAC on and open a command prompt and run WHOAMI it reports that I am "mobydisk." If I then run the command prompt "as administrator and do a whois -- I'm still "mobydisk". Compare that to Linux: suppose I do something in the control panel and it prompts me for the admin password. Before that I am "mobydisk" and after the prompt I am "root." Vista is the only thing I know of where before and after the user is still "mobydisk"

It's because of the different security models. In UNIX, you "become" a user that has higher privileges. In Windows NT/Vista, your actual user account is temporarily granted the necessary privileges (or you can also "become" them with RunAs, but that is an inferior technique).

In short, the low-level details are (very) different, but the high-level theory, objective and results are the same.

As for that miniscule list, try Quicken, Quickbooks, and every video game ever made.

Quicken and Quickbooks I can't speak for, but lots of games run as a regular user. Even for the ones that don't, it's for simple reasons that are trivially addressed on a per-case basis (eg: Doom 3 writes to a config file in Program Files - if you make that one file writable, it works fine as a regular user - what's particularly stupid is the Linux port *doesn't* do this).

I've tried to get my family members to use non-admin users for years, and even my attempts in 2007 were thwarted by foolish apps.

I've been running NT as a regular user since ~1997. Now, while I don't for a second think the average home user could have done this, I know that most IT departments _could_. The vast, vast majority of problems are related to applications writing to (or sometimes just opening RW) a small number of filesystem and Registry locations. Modify the permissions on those and the app works, with no need for the "always run as Administrator" sledgehammer.

It is my understanding that Vista has specific workarounds for these apps. Kinda like a list of "Oh, if QB.EXE is running, let it write files with .qdb extensions to C:\Program Files" and stuff like that.

It's a bit more involved than that. Vista intercepts writes to "illegal" places and redirects them to a "virtual" Registry and filesystem. It's a great way to implement "proper" security without breaking all the existing apps.

Yes, you don't run Quicken or video games in a corporation, but from my home-use experience, it is really the majority of applications that don't work as limited users.

I don't run into many problems running as a non-Admin these days. Maybe 5 years ago a "majority" of applications were badly broken, but not any more. Even for those that are, ten minutes with filemon and regmon should allow even semi-competent IT staff to fix 90% of problems.

Software sucks.

A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

Re:Software sucks.

What's so dumb about pointing out the pathetic state of software security and the incompetence of programmers?

Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?

I guess comments like yours explain exactly why our software sucks.

Re:Software sucks.

[daeg]

Flash does more than just paint - it (unfortunately) can upload files, attach to USB devices (webcams), etc.

Re:Software sucks.

[Allador]

The contest didnt require you to do any damage to the system.

The contest required that the attack be able to read a file 'somewhere' on the OS.

Unfortunately, they dont tell us where that file was, or what the ACLs on it were, so its hard to make any sort of sane judgement about it.

Re:Software sucks.

[robo_mojo]

While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.

Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.

Software will suck as long as speed is more important than correctness.

Re:Software sucks.

[Walter+Carver]

Erm... not quite... I am running Firefox 2 on Linux and I have Flash 9 installed, it's 7.8M:

-rwxr-xr-x 1 walter users 7.8M 2007-11-21 01:24 libflashplayer.so*

Hey!

[spectrokid]

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!

Re:Hey!

[AioKits]

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!! Done and done!
...
Errr, know of any site using Silverlight for something useful?

Re:Hey!

I don't see why the test includes third party software.
 
BTW, what happened, they set up each laptop with a web browser open that constantly refreshed a site that would display whatever the "hackers" were sending to it? Cause that's just a browser security test. I thought we were testing OS security here...

Re:Hey!

[calebt3]

I don't see why the test includes third party software. Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Re:Hey!

[PRC+Banker]

I don't see why the test includes third party software.

Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Because a 0day exploit is potentially worth a lot more than $10,000?

Those that could really crack the system have a lot more in rewards than a sticker.

Re:Hey!

[morethanapapercert]

Errr. know of any site using Flash for something useful?*

*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars

Re:Hey!

[uglyduckling]

youtube? - lets you view TV shows you missed, see humerous home videos...

Re:Hey!

So then all OSes are completely secure?

Re:Hey!

[HappySmileMan]

Thewre were no exploits found within a day or two of near constant testing by many people, that does say a lot for security, but Mac can be hacked by a user running default web browser (safari) and Vista can be hacked by user using flash (which almost everyone uses regularly, whether they choose to (youtube) or not (ads)).

So if you consider that to be a secure OS then yes. But exploits in default programs or some of the most popular third party apps that allow a system to be taken over still worry me. (Except I use Kubuntu)

Re:Hey!

No, an OS that can be pwned through a vulnerability in a third-party app is not secure.

There are two stages to pwning a computer: first you need to find a way to run your code on it, and then your code has to get itself the right privileges to do your evil bidding. Merely getting your code running (through vulnerabilities in e.g. Safari or Flash) is no use unless there is then a vulnerability in the OS itself that your code can exploit to pwn the whole computer.

Re:Hey!

[FuzzyDaddy]

Satellite link installer training

Newsworthy?

[MisterFuRR]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

Re:Newsworthy?

[call-me-kenneth]

Hint: script kiddies don't tend to have 0day in the real world.

Re:Newsworthy?

[tolan-b]

They created their own exploits.

Re:Newsworthy?

[kripkenstein]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars. Hmm, I disagree.

First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).

Re:Newsworthy?

Could've happened to any OS -- Ubuntu included

It's no surprise that the Microsoft box got pwned.

What is surprising is how the volume and shrillness of their online apologists increases in direct proportion to their decline.

Re:Newsworthy?

In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux. Yeah, they're open source and of dubious quality.

Re:Newsworthy?

I couldn't find answers to my questions on the links, although I'm probably not looking hard enough.

The aim of the contest was to read a specific file on the system. What I was wondering is what permissions that file had? Was it only readable by root? I'm assuming not, but if so what are default settings like in Vista (I've never used it)? Does it by default make the user not run as administrator? After all Linux's claim to be immune from malware stems from the idea that the user has such restricted access and if root is not required in this competition it's perhaps a realization that for a desktop user a lot of damage can still be done as only the user.

Obviously this will result in a lot of Microsoft and Apple bashing, and as a long time Linux fan I'm rather smug, but I think it's worth noting that Adobe Reader is cross platform so there is a chance that the vulnerability is not unique to Windows - it may not be Microsoft's fault at all.

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here). Perhaps because most of Ubuntu's apps are open source more vulnerabilities are spotted by the good guys which would be especially important in a competition like this where 0day exploits are the aim?

On a positive note I think it's a good thing to note that the days of a clean install being exploited in a few minutes once connected to the internet seem to be fading.

Re:Newsworthy?

[gbickford]

This small focus group of participators are not script kiddies. They publicly represent the people that do not want a public representation and do not want their unknown exploits exposed to the public eye for the mere price of a laptop or even a $10,000USD cash prize. The lurkers want bot nets and relay servers. The unseen want to be able to bend the entire internet. This information is only worth money if people do not know it.

The people that participate in this are like magicians selling their secrets at a bus stop.

This isn't like a McAfee vs Norton contest. The "the total end point security" which you reference is no where near contextual. This is a how much are black hats willing to give up for chump-change contest.

Re:Newsworthy?

More concisely, this wasn't a test or proof of security, it was a test/proof of insecurity. The result is not "Ubuntu Linux is secure"; the result is "MacOS X - not secure; Windows Vista - not secure; Ubuntu Linux - no result".

Re:Newsworthy?

[Henry+V+.009]

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

Re:Newsworthy?

[CastrTroy]

I believe that a lot of people would be happy to slap that on a resume. It could be quite useful in getting nice job.

Re:Newsworthy?

[spitzak]

Translation: "sandbox mode" == "seteuid"

Re:Newsworthy?

[Daimanta]

Haven't you heard, there is a new tool for scriptkiddies. It is called sub8 and it's got a "get 0days" mode. I'm running it all day. I am now targeting 127.0.0.1 and I think it is going to be done any min[CARRIER LOST]

Re:Newsworthy?

[Deanalator]

Tipping point is in the business of buying 0day. The like to know who has it, and what can be done with it. That is all that is really going on here, but with the added media circus for some nice cheap publicity.

Re:Newsworthy?

Apologists if any side will whine a great deal when there comes proof that their view is the shitty one.

Should anyone be surprised that MS and Apple fanboys and apologists are going to practically start a riot over a clean experiment? I note here that the Linux box wasn't compromised. Doesn't that say a great deal? Sure, it's not completely secure, what is? But the fact that an open system was able to beat the shit out of a closed source, expensive system tells me a lot.

Re:Newsworthy?

[try_anything]

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here).

Users follow the normal path of least resistance established by the platform. Users' first tendency is to use the apps that are installed by default, which means mostly open-source apps on Linux and closed-source apps on Windows. When an appropriate application isn't installed, consumer-targeted Linux distributions help steer users toward good open-source applications. Under Windows, you usually end up installing a closed-source application suggested by a web site. Windows application security depends not just on closed-source software but on users' ability to evaluate the credibility of web sites and spot spoofed web sites (like the ones used for phishing, but used for distributing malware instead). Under Linux, those skills are still important, but since the normal method of installing software is to download packages maintained by the distribution, users will be more likely to pay special attention when installing software from other sources.

In sum, what this means is that Windows systems depend heavily on closed-source software and the judgment of individual users, both of which are less secure than the community-oriented "more eyes" approach taken by open-source Linux distributions.

Re:Newsworthy?

[canuck57]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

While you are correct, it could have happened to any box...ponder this thought.

I guess Vista's process separation isn't so separate after all. Maybe on Ubuntu process separation did work. Trouble is if you try to go out of process bounds in Linux, you will get an exception and the OS will terminate the process.

In Vista, they must have found a way to get out of the flash process space, into the OS without the Cancel/Allow Continue/Cancel prompts to control the box. Then they have the systems. Remember, they have to do more than just crash or execute a few bytes, they must pwn the system.

Looks like Vista has similar holes to it's predecessors. Go figure.

Re:Newsworthy?

[Allador]

In Vista, they must have found a way to get out of the flash process space, into the OS without the Cancel/Allow Continue/Cancel prompts to control the box. Then they have the systems. Remember, they have to do more than just crash or execute a few bytes, they must pwn the system. Not necessarily.

The way to win the contest was not to modify the system, but to read the contents of 'some file' 'somewhere' in the OS (but they dont publish where that is, or what file system ACLs it has set).

Depending on where that is (ie, browser cache) then this may be a trivial contest, but I doubt if that was the case.

They also didnt publish whether Flash was owned through firefox or IE7, and if IE7 whether it was on a site in Trusted Zone or Internet zone.

Flash on Firefox is probably the easiest attack vector, as IE7 in 'Protected Mode' is pretty well sandboxed.

Re:Newsworthy?

[HiThere]

dala1:~/downloads/D$ man seteuid
No manual entry for seteuid

Is seteuid some MSWind specific call? Or is it a typo for setuid? Or is it something else?

I'm not now and never have been an MSWind system programmer. (I'll admit to a bit of MSAccess, though...but that was long ago.)

Re:Newsworthy?

[MobyDisk]

Does the article say that? It hints at it, but I don't see how someone discovered and exploited a totally new zero-day exploit in a closed-source product during the process of this competition.

Re:Newsworthy?

[ais523]

You must be using Debian, or some other Linux or UNIX-like distribution that doesn't contain chapter 2 of the manual by default. It's a syscall, not a command. $ man 2 seteuid "seteuid() sets the effective user ID of the current process. Unprivileged user processes may only set the effective user ID to the real user ID, the effective user ID or the saved set-user-ID." Setting the real UID as well as the effective UID would strike me as being a better way to drop permissions, but unfortunately you need enhanced permissions to do that in the first place. I suspect the sandboxing idea was something like running a process as setuid to a user of lower permission than yourself (which gives you a lower effective UID then real UID), using your real UID to open the window and then using setreuid (also in section 2 of the manual) to set your real (normal user privileges) UID to your effective (low privileges) UID, which is irreversible on that execution of the program without knowing a user or root password. Unfortunately, doing this requires changes to the source code of the browser if the relevant code isn't there already, because the UID changes have to be after the browser opens. However, doing it that way doesn't require root permissions to be involved anywhere, just for the browser executable to be setuid (some low-permissioned account). (I suspect things aren't done this way by default because users don't want to have to type in their own password just to be able to upload files.)

Re:Newsworthy?

[ChocoboKnight]

It was Safari, not Firefox.

Re:Newsworthy?

[HiThere]

Right on the first bounce. Debian.

I eventually found it after I looked up setuid, and found that *it* didn't have a man page either, so I knew I needed to look elsewhere. I'd just never heard of seteuid before. I'm still not exactly sure what it's purpose is. setuid makes sense. I guess I need to study a bit more, and either I'll eventually figure out why it's needed, or I'll decide it doesn't have anything to do with the kind of things I do.

Re:Twofo is dying is dying

[Skeetskeetskeet]

Zeus sucks cock???? To quote Burgess Meridith...."BY THE GODS!!!"

What did you expect?

[lilomar]

So Linux is more secure than Windows? What else is new?

Re:What did you expect?

[X0563511]

Apparently it's also more secure than OS:X.

Personally, I don't give a damn, as anything that I personally own and use is going to be secured regardless. I know better than to trust out-of-the-box security. I have a squishy thing in my head I've heard some call a brain - as weird and unusual as it sounds, I use it.

You try hard enough, you can lock Windows down. Linux - even easier to do so. OS:X - I assume so, but not having used it more than passingly, I can't say for sure.

Re:What did you expect?

[Allador]

A couple things to note of interest:

1. The contest did not require someone to 'own' the box to win. They just had to read the contents of some specific file somewhere in the OS. Unfortunately, they didnt publish where that file was, or what the file-system ACLs on it were.

2. The guy who took down the Vista box claimed in the article that it would only take them a few more hours of work to make the Flash vuln effective on OSX and Linux as well.

It is becoming more clear every day

[zappepcs]

that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows. (Car analogy) It's like seeing Kia in a road rally, sort of surprizing but after a couple of years competing people begin to just accept that they have the balls to keep it up and to compete.

Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?

Re:It is becoming more clear every day

[ketilwaa]

Are you comparing GNU/Linux to Kia? Kia?!? KIA?!? If I see you on the road I'll be slamming into you with my Ubuntu Yugo, so watch out!

Re:It is becoming more clear every day

[zappepcs]

If I could mod you funny I would LOL... didn't mean to compare to kia, just that the juxtapositions of both in their respective arenas is similar

Re:It is becoming more clear every day

[fast+turtle]

Go right ahead and we'll see how many of the big 3 Windows boxes crash with you and don't forget the odd Pinto that explodes, the Explorer the rolls over and such

Re:It is becoming more clear every day

[El_Isma]

"that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows."

That's what a person with a Windows background would think. Actually, the hacker niche has always preferred Linux (or other unixes).

Re:It is becoming more clear every day

[shaitand]

Actually what is surprising is that windows is allowed into the competition not the other way around. Linux has been the preferred platform of hackers and power users for a long time. Windows power users would qualify as average level Linux users, and Mac power users would qualify as mid level windows users (sorry mac guys, you can do more than the average windows user but only because the mac does it for you, you still don't actually know anything about the technology and underpinnings).

In this case, Ubuntu would be the muscle car, the mac might be a vw bug, and the windows box would fit in well as a kia. Of course pre-OSX Macs would have fit better as caddies, comfortable and leisurely but slow and inefficient.

Re:It is becoming more clear every day

[mollymoo]

Nice repetition of groupthink. Have you actually, you know, used all three as a desktop system for a reasonable period? I have (except Vista, I stuck with XP and no job has forced me to use it so far).

My Mac gives me a bash shell (which I use), source for the kernel (which I've only ever wanted to once - mostly stuff just works and works the right way) and configuration files I can read with a text editor (which I have used, but the plist editor, an XML editor or the defaults CLI system are nicer). I write code in whatever language I fancy, run Apache with whatever modules I fancy and use the supplied GCC to build my cross-compilers and have scripts do my system administration tasks for me. That'll all the same stuff I do on my Linux boxen, but I don't have to fuck about making WiFi, suspend/hibernate and other basic things work. I admit that NetInfo isn't the greatest, but for a desktop I hardly ever have to use it - I can only remember using it for setting up NFS automounts and changing my UID (again for NFS).

Can you give me an example of something I might actually want to do (I don't want to rewrite my GUI, thanks, I just want one which works fairly consistently) which I can't do on my Mac?

Re:It is becoming more clear every day

Can you give me an example of something I might actually want to do (I don't want to rewrite my GUI, thanks, I just want one which works fairly consistently) which I can't do on my Mac?

Yes.

Re:It is becoming more clear every day

[shaitand]

'Have you actually, you know, used all three as a desktop system for a reasonable period?'

Yes. Although I only managed to stomach a Vista workstation for about three months. XP and others I have used for a period of years.

'Can you give me an example of something I might actually want to do (I don't want to rewrite my GUI, thanks, I just want one which works fairly consistently) which I can't do on my Mac?'

How could I do that? I don't even know you. More to the point, what do YOUR desires and wants have to do with the conversation? I'm confident you will find that nobody much cares what you do or don't enjoy doing on your computer and your personal desires have no relevance to the issue at hand.

Re:It is becoming more clear every day

[mollymoo]

I was using myself as an example of a generic hacker / power user (as far as such a thing exists), substitute that for "I/me". My point is that I've not found anything that isn't possible, except hacking the GUI layer, on OS X that is possible on Linux. I was just looking for a concrete example of why you claim Linux is a better choice. From all my own experience and from reading the experiences of others I haven't found much in the way of concrete examples, it's all hyperbole, which is exactly what your complete-with-car-analogy post was.

Here are some concrete examples of why OS X is better:
WiFi works and works properly
Suspend/hibernate work and are fast
Desktop applications don't have interdependencies
Can use industry-standard commercial applications (Office, Photoshop...) or FOSS alternatives
Parallels is the nicest VM implementation for desktop use I've seen
Whatever the reasons, people don't seem that interested in hacking it
HFS+ (self-optimizing on-disk format, useful metadata...)
Fast, pervasive desktop search

That's just 10.4, I've not tried 10.5 yet. File versioning and ZFS support sound pretty pleasant though.

Re:It is becoming more clear every day

[shaitand]

'I was using myself as an example of a generic hacker / power user'

And you fail to see why that is a rather bold and arrogant assumption? I do not assume I speak for all the other hackers and power users out there but I don't recall casting a vote for you as representative of the interests and needs of the group.

'Here are some concrete examples of why OS X is better:'

uh huh

'WiFi works and works properly'

I have never had issues with wifi on Linux. As for properly, what is proper? How should my wifi behave? Beyond works, the word properly becomes hyperbole.

'Suspend/hibernate work and are fast'

I thought you called yourself a hacker? On a desktop the best thing you can do with suspend is disable it.

'Desktop applications don't have interdependencies'

In other words, they are inefficient. Linux package management has made the problems that come with dependencies a thing of the past, leaving only the benefits.

'Can use industry-standard commercial applications (Office, Photoshop...) or FOSS alternatives'

You can use a small subset of those applications, just as I can use under Linux. Of course, with a few recent exceptions I am going to have a more consistent and positive feel when using those FOSS applications or the commercial alternatives.

'Parallels is the nicest VM implementation for desktop use I've seen'

Its good that you rate your opinion so highly.

'Whatever the reasons, people don't seem that interested in hacking it'

A self-appointed representative of power users and hackers who views a lack of interest in hacking the platform as a positive, fascinating.

'HFS+ (self-optimizing on-disk format, useful metadata...)'

All the modern fs on Linux are self-optimizing. Lots of metadata is interesting, its one of the most hyped forms of bloat and inefficiency used today.

'Fast, pervasive desktop search'

Yawn. I have fast search available to me on any platform and have for years. Its a much touted, pervasive, and highly overrated feature. Most of us don't have any trouble finding our information. As for other information, Google is far superior to anything mac specific.

There is no question that Macs have come a long way but they have borrowed it all from the *nix world. Pretty well every Mac feature that would appeal to a hacker or power user is borrowed from the *nix world. When you take it away you are back to OS 9, a pretty, intuitive, and simple gui that is great for certain users but frustrating to power users.

On the other hand, there are a number of advantages to Linux. First of all, you can run it on damn near anything, it is a versatile and flexible tool. Although you want to isolate the conversation to desktops, it would be remiss to ignore the fact that you can spend each day working on a platform and gaining familiarity with the same tool that will upgrade your router and turn your xbox into a wireless multimedia system that streams music and video from your fileserver regardless of platform or protocol. I can use one system for kiosks, consoles, servers of all kinds, and desktops and be using a top 3 solution in all those applications (and in most cases the top solution).

Using a Linux system I also have a dramatically larger supported hardware base. I can customize and configure my system as I please when I please. I am not limited to a single configuration that made sense at purchase time. You might find programmers buying a proprietary PC but actual power users and hackers hack the hardware as well as the software. Your options are rather limited in the Mac world these days, even if Macs would be better called IBM PC's now.

If my motherboard fails in my Linux desktop, I can literally grab one of a half dozen varied boards out of the closet and toss it in the system. In most cases no change would be needed, and at most a quick boot with a rescue disc and changing two files will restore everything to operating just as if nothing happened. Anyone who works with a lot of PC's will have parts that will get the job done. A Mac user is pretty much out of luck unless he has Apple's replacement on hand.

Re:It is becoming more clear every day

[mollymoo]

Plugging together a machine from commodity parts is hardware hacking? Ha ha, you are funny. Really you are.

Re:It is becoming more clear every day

[shaitand]

Its a level of hackability the mac lacks.

I think it is most fitting...

[Provocateur]

...that we christen the unharmed laptop 'Cowboy Neal'

Re:I think it is most fitting...

[X0563511]

Can we name one of the broken ones "Cowboy'ed by Neal?"

Re:Let me get this straight

[calebt3]

It comes with $20,000, $10,000, or $5,000, depending on what day you hacked it. The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 since it was cracked later. And you can always install *nix.

Re:Let me get this straight

For some time now OS of personal computers does not reside in ROM and can be changed to a different one with ease. The miracles of technology!

Re:Let me get this straight

[ceejayoz]

The laptop isn't insecure, the attacks are taking place against the operating system (and in all three cases, against specific applications - none of the three were hackable without the user taking certain actions).

Re:Let me get this straight

[spectrokid]

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure? Euuuuh.... to install Linux on it?

Re:Let me get this straight

[SargentDU]

When you get it, you secure it. Sheesh, you should know that already. What is with your silly question? You do not want it, give it to me and I will secure it.

Re:Let me get this straight

...so you can put Ubuntu on it?

Re:Let me get this straight

They're all x86 laptops, so you can just install Ubuntu on whichever one you win.

Re:Let me get this straight

Please send all your insecure belongings to me. It might be hard to move the house but if it's nice you can just send me the keys and the adress and I might move in. I'll take good care of your insecure car(s), bicycle(s) and computer(s).

Re:Let me get this straight

[Ripit]

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure?

You forgot the part where you link to a laptop that's secure. I'll be waiting right here.

Something is Fishy

[ThinkFr33ly]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

Re:Something is Fishy

[Utopia]

As I understand, UAC/protected mode only protects critical areas like windows system areas and program files.
I am guessing the file for the contest was stored in a non-critical area.

Re:Something is Fishy

[ThinkFr33ly]

That is not correct. Protected Mode's low rights user has virtually no access to the system.

Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.

Re:Something is Fishy

[Rary]

This says absolutely nothing about Vista security.

Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

Re:Something is Fishy

[Utopia]

Really? I was under the impression that protected mode does allow user file reads even in low-rights mode; but prevents writes or directory traversal etc. (So you have to know the filename & path beforehand to read it)

Re:Something is Fishy

[benjymouse]

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

Re:Something is Fishy

WOW. I absolutely hate flash and refuse to use it and you've just given me even more proof that I made the right decision. Thanks.

If what you say about Flash's architecture is correct then these people need to be taken out back and beaten with a rubber hose. This is so obviously a crap idea.

Re:Something is Fishy

[ThinkFr33ly]

No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.

Re:Something is Fishy

[Erikderzweite]

>If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

You are wrong, I fear. The rules were that each OS had its default configuration. Check http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 for details. So, if the protected mode is turned on by default - it was turned on during the contest.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too.

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

Re:Something is Fishy

[spisska]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

This logic reminds me of the sysadmin where I work. She (not a typo) apparently doesn't know how to properly configure an Exchange server, so she's limited everybody's email boxes to 250 MB. Since I regularly have to deal with attachments -- large spreadsheets, presentations, csv lists, etc, and often have to go back months to find a specific mail to answer client questions, 250 MB is not sufficient.

I pointed all this out to her, as well as the fact that I haven't seen limits like this anywhere since the early 2000s. I also suggested, not seriously, that I should store all my mail on the unused part of my ipod, or autoforward it all to my gmail account.

Rather than seeing the absurdity, she responded that it was "not possible" to forward mail to gmail (or yahoo, hotmail, hushmail, etc) because she had set up rules preventing this. It took all of five minutes to set up a new gmail account and begin forwarding, complete with properly configured reply-to headers.

I sent her screenshots. She still says it's not possible because that's not how it's supposed to work.

The moral is that with most MS software, what it is supposed to do or not do has little bearing on what it will do when you know how to ask. Just because something should not happen -- e.g. your assumption that IE7 would not allow an exploit in its standard, protected mode, does not mean that it can't happen or won't happen.

It seems to me that the entire UAC model is little more than a bolt-on that does nothing to address the structural insecurity of Windows. It's like a house with an iron gate and stone wall along the street. But the wall only extends 15m in either direction. Walk around the wall and there's nothing. With *nix, you get a wall around the whole yard by default. Along with the option to put it a moat filled with sharks. With lasers strapped to their heads. Now that's the kind of 'fishy' poppa likes.

Re:Something is Fishy

[benjymouse]

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

The rules specifically says that 1) if the exploit was cross platform the same exploit could not be used for another platform and 2) the same person cannot win 2 prices.

Re:Something is Fishy

[Zedekiah]

Not quite, it still says what many slashdottians have been saying for some time; Ubuntu is better

Re:Something is Fishy

...only finally fell when the contest organizers modified the rules...

People in both CanSecWest threads have been saying this a lot, but it's not true. The only time they "modified" the rules was before the contest began--largely to increase the cash prizes. The tiered rules and prizes were planned in advance--it's not like they said, "gosh, nobody 0wned any of these machines yet--we better make things easier." When the contest started, the plan was three days with different rules/prizes on each day. Details.

-JD

Re:Something is Fishy

[ThinkFr33ly]

Well, I'm not sure how to reply to this. You're suggesting that I came to my conclusion because I assume that Microsoft's software is perfect. I did not. If you had read my entire post, you would have quickly realized this.

The fact that they specifically stated the exploit was in Flash, and did not mention any major compromise of protected mode or privilege escalations, suggests that there were none.

So what is more likely: the people running a high profile hacking contest didn't mention that the Vista machine was compromised not due to a single Flash buffer overflow, but instead a series of huge exploits in both Protected Mode and the Windows security subsystems. Or that the people running the high profile hacking contest neglected to mention that were using Firefox.

So next time you feel like talking down to the poor deluded Microsoft defender, try examining your own logic a bit first.

Re:Something is Fishy

[ThinkFr33ly]

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

See the following: background info, and most of this post deals with UAC.

Re:Something is Fishy

[ThinkFr33ly]

I never suggested that they turned off UAC or Protected Mode. I find that very unlikely, as it would be blatantly unfair to Vista.

I said it's more like that they simply used Firefox in the case where the machine was compromised. The rules stated that they installed "popular" 3rd party applications, and Firefox would certainly qualify as popular.

Re:Something is Fishy

[ThinkFr33ly]

I was not aware that Flash did this. This would certain explain how it was possible without resorting to using Firefox, or some other browser, as the host for Flash.

Can you post some documentation that details this? It must be new for the Vista/IE version of Flash, since I can't think of any reason why they would have done this pre-Vista.

Re:Something is Fishy

I guess they used safari for windows :)

Re:Something is Fishy

[benjymouse]

Read the exchanges on the iebloc here: http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx. It also contains links to documentation.

Re:Something is Fishy

[david_thornley]

Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.

Re:Something is Fishy

[benjymouse]

I just wanted to add this: On my Vista x64 I have a service called "FlashUtil9e.exe - Adobe Flash Player Helper 9.0 r115". That's the broker process.

It is running as *me*, with my rights. Not for long now, though. Bye Flash.

Oh, and there's also an "Acrotray.exe" - from the same company. Guess what that does?

Re:Something is Fishy

[ThinkFr33ly]

Wow. Now I hate Flash even more than I did before.

Re:Something is Fishy

[recoiledsnake]

Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too. Isn't that sort of a contradiction? The parent meant they might have used a third party browser on the third day. Then you say they were using the default browser... except on the third day. What's your point again? I don't get it. You simply say what your parent's saying, except in a confusing way that can be misunderstood as if they were using only the default browser on the third day.

Re:Something is Fishy

How can you assume that they were not using IE7 just because they allowed adobe products to be installed? You conclude that is "could not have happened" on IE 7 therefore they must have used another browser. Maybe they were using IE7 and found an exploit with flash you didn't think of? I can see you asking a question about the browser, but not asserting your assumptions "must" be fact. No one can really explain away what happened unless we know more about what 3rd party applications were`allowed.

Re:Something is Fishy

[Darundal]

Slashdottians? Wouldn't that be Slashdotters?

Re:Something is Fishy

[recoiledsnake]

I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com

Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.

From the linked article:

Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.

Re:Something is Fishy

[ThinkFr33ly]

No. The fact that they specifically stated the exploit was in Flash suggests the exploit, or exploit vector, was in Flash. Everything else you mention is purely assumption. That makes no sense. The people who write these exploits aren't stupid. They aren't going to target an attack vector that has multiple layers of protection unless they've already figured out ways around that protection. Targeting a buffer overflow in an application running with low privs would be useless unless you've already figured out a way to elevated the privileges of that user.

These are not assumptions. These are facts. If the team that performed the hack found multiple exploits, they would have stated as much. For you to say they would not have is ridiculous. In fact, it was part of the rules that they explain exactly how the hack was performed.

Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. Huh? What does this have to do with the baggage of Windows' history? Seems to me that you are the one making assumptions.

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do. You do realize that this has nothing to do with UAC, right? The file in question was accessible by the user running the browser. It didn't require admin privs. Protected Mode and UAC are two entirely different things. I'll assume, for the moment, that you're no longer talking about Protected Mode, IE, and this exploit and instead have switched topics to my blog posts regarding Windows' history and why UAC is necessary.

You obviously didn't understand my blog posts because UAC being necessary has nothing to do with any deficiencies in Windows with regards to the ability to "compartmentalize users". The fundamental security model behind Windows is every bit as capable (and, indeed, more advanced in may ways) as Linux. The problem is that there were two distinct branches of Windows: NT and 9x. When these two branches were merged, it was absolutely necessary to ensure that the 9x software ran on the NT-based versions of Windows.

As I mentioned in my blog post in great detail, it was this support for legacy software that resulted in Windows defaulting to admin on XP, and eventually to Vista needing UAC. UAC is, for the most part, a compatibility mechanism, not a security boundary.

In fact, the only big difference between UAC and the way the Mac handles this is that the Mac doesn't have any mechanism to automatically detect admin operations... so if an application tries to perform an action that requires admin privs, and it doesn't have them, it will just fail. On Vista, it will prompt the user. The same goes for Linux. Applications trying to perform admin operations that don't have perms will just fail and error out. Can you see why that would be an issue on an OS with literally millions of software titles that assume admin access?

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. No, your logic is not sound. It is clear to me, and probably most other people reading these comments, that it is you making assumptions.

Re:Something is Fishy

It seems to me that the entire UAC model is little more than a bolt-on that does nothing to address the structural insecurity of Windows. ... With *nix, you get a wall around the whole yard by default

Now this is just not fair. Privilege escalation exploits are very common in the Unix world. And while lots of daemons do, most Unix applications do not set up the equivalent of UAC, which would be a chroot jail and a setuid with low privileges. Firefox certainly doesn't do this.

The exploit seems to be from Adobe Flash -- which set up a backdoor to the Windows equivalent of said chroot jail and setuid. Now, maybe your web server is running chroot as a different user, like mine is right now. Then you set up a CGI script as setuid root. When somebody exploits your server to break out of the jail, you blame Apache?

Re:Something is Fishy

[Iamthecheese]

UAC is a solution to a problem that used to exist on Windows. Kind of like IE before version 8: They were doing it wrong; they no longer are.

Re:Something is Fishy

I'd like to add that http://www.deezer.com/ which is a Flash app keeps me logged on even if I deleted all cookies.

Re:Something is Fishy

[Zedekiah]

That's what I thought, but decided to follow the parent's style ^^

Re:Something is Fishy

[barius]

"The fact that they specifically stated the exploit was in Flash, and did not mention any major compromise of protected mode or privilege escalations, suggests that there were none." You didn't RFTA very well. They were only expected to reveal the exploit to the TippingPoint officiators who were the source of the prize funds. The article at TippingPoint's website makes it very clear that the exploit required Adobe Flash, but that they would not release any further details to the public. There very well could have been a sandbox break-out, but we won't know for sure until the exploit is revealed publicly. All your hot-air about IE7 protected mode, UAC and whatever else is nothing but speculation on your part.

Re:Something is Fishy

General Electric limits your Exchange mailbox to 100 mb, and agressively encourages the use of PSTs. This seems to me to be a more sensible policy then "Just keep it all on the server". I support European employees and can count on needing to fix an Outlook issue via deleting ost/recreating a profile at least 2-3 times per week, often for home-based employees. I can't imagine telling people to wait several hours while they pull down a gigabyte of mail from the Exchange server over VPN.

What exactly are the downsides to archiving mail in a pst, keeping a local copy for offline access, and having a copy that gets backed up to the network share on a regular basis?

Re:Something is Fishy

[Kalriath]

Except that... get this... FLASH HAS A BROKER PROCESS. Protected mode cannot stop Flash doing stupid stuff because Adobe in their infinite wisdom decided they really needed that unfettered system access and created a Flash Broker. And to top it off, the Flash installer adds the Flash Broker as a "Don't prompt me again for allowing this application outside protected mode to be called" program.

I don't even know why Microsoft bothers trying to secure stuff when morons like Adobe just go and fuck it up.

Re:Something is Fishy

[drsmithy]

That's not at all what I'm suggesting. I'm saying that just because MS says their software should behave in a certain way doesn't at all mean that it won't behave in an entirely unpredicted way given the right circumstances, nor does it mean that the software can't be made to behave in a way completely contrary to how it was designed.

Are you suggesting that software bugs are in some way a phenomenon unique to Microsoft ?

Again, I'm not going to make assumptions about what was not said. I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit.

What "baggage" ?

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

No, it addresses the same problem that exists on all multiuser OSes, which is why all multiuser OSes address it (with varying degrees of user friendliness). Windows "compartmentalises users" at least as well as other platforms (and possibly better, depending on exactly what those OSes are, due to extensive use of ACLs and the lack of a superuser).

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door.

Your logic is worthless. You are saying that because an (apparently ignorant) Exchange Administrator misconfigured her server, there might be bugs in Windows. This is like saying if someone sets up postfix as an open relay, there might be bugs in Linux.

Or, to put it more succintly, your "logic" is a non-sequitur.

Re:Something is Fishy

[liquidf]

why are you using exchange over a vpn? i could see file sharing but not for exchange. you should use rpc-http. all you really need is a signed cert with the valid FQDN of the server, and if you are big enough organization $60-70/yr isn't really putting a dent in your pocket. and if there isn't a connection available to the exchange server, you've eliminated the vpn troubleshooting; it's either their internet connection, or the server, and if it's the server you've got bigger problems. we have at least a couple dozen customers that use rpc-http on a semi-regular basis, and not once have we had to delete their ost or create a new profile, not in the 9 mo.s i've been with this company, *unless* there is a problem with outlook itself that requires a complete reinstallation (usually it is bogus 3rd party software that causes it anyway). you could also use an exmerge script that would backup the mailboxes to a pst anyway and have that added to the backups.

Re:Something is Fishy

[spisska]

Are you suggesting that software bugs are in some way a phenomenon unique to Microsoft ?

Not at all. What I'm suggesting is that when someone says that X is not possible because it isn't supposed to happen, it doesn't mean that it can't happen or won't happen. The Titanic was supposed to be unsinkable. AACS was supposed to be unbreakable. The four-minute mile was supposed to be unachievable.

I'm not foolish enough to claim that *nix cannot be rooted or cracked. Just that because of its design it is inherently more secure and more difficult to crack than a system that still allows apps to run in rootspace.

What "baggage" ?

The baggage of supporting legacy apps that require(d) administrator access. Because Windows had been designed for so long to be run by a single user-administrator, there are plenty of apps that simply won't run without admin-level privileges.

No, it addresses the same problem that exists on all multiuser OSes, which is why all multiuser OSes address it (with varying degrees of user friendliness). Windows "compartmentalises users" at least as well as other platforms (and possibly better, depending on exactly what those OSes are, due to extensive use of ACLs and the lack of a superuser).

Not exactly. When an OS is designed from the ground up as a multiuser system (such as *nix), it is very easy to restrict access to system resources. If I want to install a piece of software on Linux, for example, I cannot make the installation system-wide (by writing to /usr/bin, for example) without admin privileges. I cannot install libraries to /lib, /usr/lib, etc. I cannot write settings to /etc. Even when installed and executed, that program will only have a restricted set of rights based on the user/group that executes it. I can, however, compile and run executables as a user without needing admin access and without write access to system files and/or directories. I can put whatever libraries, modules, settings etc are required in my home directory without needing access to restricted areas.

Yes, I do run the risk of hosing my /home/user directory and everything inside of it, but I cannot touch any other user's files, and cannot touch system files.

Windows, on the other hand, has a hybrid model where a multi user model is tacked onto a single user-admin model, or rather support for a single user-admin model is bolted onto a basic multiuser model. Basic, because a true multi-user system would never have a single repository for all settings, like the Windows registry.

Your logic is worthless.

Please explain.

You are saying that because an (apparently ignorant) Exchange Administrator misconfigured her server, there might be bugs in Windows.

No. What I'm saying is that the my sysadmin's argument is very similar to the OP's argument. The OP said that because IE7 isn't supposed to allow a system level exploit via something like Flash, then therefore it isn't possible. My sysadmin said that because she configured Exchange to block autoforwarding to public webmail then it isn't possible. It is clearly possible to to autoforward my mail to gmail, and I did it and showed her to prove a point. She seems to think I manually forwarded the messages and somehow spoofed the reply-to field, and that autoforwarding is impossible because it shouldn't happen.

It's the same point I'm making now, and am running out of ways to say: Just because something shouldn't happen doesn't mean it won't or can't.

More on topic, if an app has elevated rights, then exploiting a vulnerability in that app will give the exploit/exploiter elevated rights. There are very few apps on *nix (none that I can think of) that run or need to run with elevated rights. There are a lot of apps on Windows that expect to have admin rights, regardless of whether or not such access is needed. This is why the problem is structural, and why I used the example of the incomplete wall.

Re:Something is Fishy

[lakiw]

"I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say." Microsoft does not enable ASLR by default for 3rd party applications since it can break software that relies upon absolute memory addresses. I scanned Adobe flash player with lookingglass, (www.erratasec.com), and ASLR was not enabled. They also didn't use NX, which helps prevent buffer overflows from being successful. On the plus side, at least the flash player executable, (not counting all its helper applications), doesn't use any unsafe functins like strcpy, and sprintf. That's a problem Microsoft has. If they enable security by default, lots of stuff breaks. If make the security settings optional, no one uses them...

Re:Something is Fishy

[Allador]

Maybe, maybe not.

The guy that took down Vista claims that the same exploit can be used on Linux and OSX, just requires a few more hours work.

Not proven yet, but possible.

Re:Something is Fishy

[Allador]

Thank you for posting this .... I didnt know that Adobe added a broker to IE7. This is useful information.

Re:Something is Fishy

[Allador]

The gentleman who took down the Vista box claims that the vuln is usable against OSX and Linux as well, just requires a few more hours of work from them to setup.

Also, I just found out while reading some other posts that the way this gets around IE7 Protected Mode is that Flash sets up a broker service that lets flash running in protected mode ignore protected mode. You've got to love it.

Re:Something is Fishy

[HiThere]

Read the earlier thread about Flash and broker processes. Apparently the security system was circumvented by Adobe, so there was no reason for the browser not to be MSIE. Or not to be Firefox. It was an external "broker process" that was running as a service for Flash that was the probable culprit.

And apparently that same broker process runs on the Mac and Linux versions of Flash. But the contest rules only allowed a contestant to claim one prise. He said it would be "a couple of hours work to get it running on Linux", and it would probably be wise to take him at his word. Flash is a trojan. It installs a service and blocks future warnings when the service is activated. That it's normally "used as intended" doesn't mitigate this.

Re:Something is Fishy

[zsau]

UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com

What the? On Vista, you are always asked for an administrative password to do administrative stuff. If the current user is an admin, that's you're own password, otherwise it's a username/password combo. This is by default; Windows can be configured so administrators don't need to enter their password if a user is foolhardy enough.

On Ubuntu,[*] you are asked for your own password if you're a regular user with administrative rights (which lets you launch a program as root); and you are asked for your own password, but you'll always get an incorrect password prompt, if you're just a regular user. Root is disabled by default; but if a user is foolhardy enough they can enable it and use it as their regular user and never again be prompted for their password.

The Windows prompt comes up more frequently; if you have no write permissions to C:\Program Files\Random Third Party\Random.exe, but you try to copy a file on top of it, Windows will ask for an administrative password. On Ubuntu, if you have no write permissions to /opt/random/bin/random, it'll be denied; you'll need to use a console (sudo cp foo /opt/random/bin/random). In this regard Ubuntu assumes a user never needs to install third-party software or touch another user's files.

The Windows method is probably more convenient and the Linux method clearly has a bug, but not a security bug (if you won't ever be able to upgrade your privileges, it should just refuse). But considering you never log in as root on Linux, they're probably about equal, assuming the backends are secure.

[*]: I currently use Debian, so Ubuntu might've changed in some regards.

Re:Something is Fishy

[drsmithy]

I'm not foolish enough to claim that *nix cannot be rooted or cracked. Just that because of its design it is inherently more secure and more difficult to crack than a system that still allows apps to run in rootspace.

Which system is that ? Because it sure as hell isn't Windows. Indeed, the concept of 'root' doesn't even exist in Windows (as opposed to UNIX, where it's still not at all uncommon to find daemons running as root, and in UNIX, processes running as root genuinely and inherently operate without restrictions).

The baggage of supporting legacy apps that require(d) administrator access. Because Windows had been designed for so long to be run by a single user-administrator, there are plenty of apps that simply won't run without admin-level privileges.

Windows NT has been multiuser since day 1 and was designed as such. The only reason some applications "need" to run as Administrator is because they're badly written. It has _zero_ to do with either Windows or Microsoft. Indeed, in this area NT is far superior because access to system resources can be granted on a per-user basis and UNIX's ugly hack of "start as root, do the stuff that needs root privileges, then switch to another user" doesn't even need to be considered.

Not exactly. When an OS is designed from the ground up as a multiuser system (such as *nix), it is very easy to restrict access to system resources.

1. UNIX was not designed "from the ground up" as a multiuser system. The first iterations were single user.
2. Windows NT *was* designed "from the ground up" as a multiuser system.
3. Restricting access to system resources in UNIX is generally only possible if those system resources are exposed via the filesystem.

If I want to install a piece of software on Linux, for example, I cannot make the installation system-wide (by writing to /usr/bin, for example) without admin privileges. I cannot install libraries to /lib, /usr/lib, etc. I cannot write settings to /etc. Even when installed and executed, that program will only have a restricted set of rights based on the user/group that executes it. I can, however, compile and run executables as a user without needing admin access and without write access to system files and/or directories. I can put whatever libraries, modules, settings etc are required in my home directory without needing access to restricted areas.

Yes. Just like Windows.

Yes, I do run the risk of hosing my /home/user directory and everything inside of it, but I cannot touch any other user's files, and cannot touch system files.

Again, just like Windows.

Windows, on the other hand, has a hybrid model where a multi user model is tacked onto a single user-admin model, or rather support for a single user-admin model is bolted onto a basic multiuser model. Basic, because a true multi-user system would never have a single repository for all settings, like the Windows registry.

Why on Earth *wouldn't* a multiuser system use an ACL-restricted, transactional, auditable, concurrent database with a defined set of access methods and data types for storing system data ? Are you suggesting it would be better off using, say, a filesystem directory full of text files ? A system with primitive and coarse security, no auditability, no provision for concurrent access, no standardised access methods and not even the most basic capabilities for sanity checking data ?

In what possible way is the Registry incompatible with a multiuser system ?

No. What I'm saying is that the my sysadmin's argument is very similar to the OP's argument.

No, they're not. Not in any meaningful sense. One example is either poor configuration, or ignorance of how the system works (and is designed to work). The other is an explanation of how a system is explicitly designed to work.

If you can not, or will not, und

Re:Something is Fishy

[Allador]

The baggage of supporting legacy apps that require(d) administrator access. Because Windows had been designed for so long to be run by a single user-administrator, there are plenty of apps that simply won't run without admin-level privileges.

I'm not sure where you get this from. Windows was never designed this way. Many userspace applications were, but the OS itself never was. It's been multi-user from the start.

Not exactly. When an OS is designed from the ground up as a multiuser system (such as *nix), it is very easy to restrict access to system resources. If I want to install a piece of software on Linux, for example, I cannot make the installation system-wide (by writing to /usr/bin, for example) without admin privileges. I cannot install libraries to /lib, /usr/lib, etc. I cannot write settings to /etc. Even when installed and executed, that program will only have a restricted set of rights based on the user/group that executes it. I can, however, compile and run executables as a user without needing admin access and without write access to system files and/or directories. I can put whatever libraries, modules, settings etc are required in my home directory without needing access to restricted areas.

Yes, I do run the risk of hosing my /home/user directory and everything inside of it, but I cannot touch any other user's files, and cannot touch system files.

The way you describe Unix as working is _precisely_ how windows works. In every single way that you describe here, windows works exactly the same.

Windows, on the other hand, has a hybrid model where a multi user model is tacked onto a single user-admin model, or rather support for a single user-admin model is bolted onto a basic multiuser model.

Like many on /., I dont think you understand how the technical internals of windows works. Yet you are free about complaining about how you think it works is bad.

Basic, because a true multi-user system would never have a single repository for all settings, like the Windows registry.

I think you're conflating unrelated things. And adding that onto a fundamental misunderstanding of how windows works.

Windows does NOT have a single repository for all settings.

It has one primary configuration file, which is the HKLM registry hive. In addition to that, there are a large number of other secondary configuration files in windows\system32 and subfolders.

Each user also has its own registry hive file. In addition to that, there are a large number of other secondary and application specific configuration files stored in their user profile (ie, what you call a home folder).

The OP said that because IE7 isn't supposed to allow a system level exploit via something like Flash, then therefore it isn't possible. My sysadmin said that because she configured Exchange to block autoforwarding to public webmail then it isn't possible.

Again, you're conflating unrelated things. Just because your Exchange admin was ignorant as to the holistic system which included Exchange, does not mean that Windows is broken, or even the more specific case of that IE7's protected mode is broken. The two are completely unrelated.

Your Exchange admin's issue was one of profound human ignorance of a matter, compounded by the ignorant person making sweeping statements about things with which they were ignorant. Much like you did in your post.

The IE7 issue was one of some of us not knowing the whole story. As those of us who read up on the IE7 Protected Mode system know, there is the concept of a broker that can be built to allow plugins that need it the ability to communicate with the outside world.

Adobe apparently installs one of these (this was the new piece of information) in Vista, and then allows fairly arbitrary commands to be passed through the broker.

Re:Something is Fishy

[recoiledsnake]

What the? On Vista, you are always asked for an administrative password to do administrative stuff. If the current user is an admin, that's you're own password, Where did you get this idea from? Just google search images for UAC prompt since I don't think you will believe me anyway.

Re:Something is Fishy

[zsau]

Oh, you're right. I mistook the prompt for the password request.

Re:Something is Fishy

[drsmithy]

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

No, UAC is addressing a problem present on all multiuser OSes - which is why all multiuser OSes make some attempt at addressing it. UAC is doing the same thing OS X and some Linux distros like Ubuntu do with their automated, graphical sudo prompts, and it is doing it for the same reason - to abstract away the concept of a multiuser OS.

Incidentally, your blog posts aren't really correct. Lots of applications - even those dating from the late 90s - were properly written and work fine when not running as Administrator. Microsoft had all the API infrastructure in place - even in DOS-based Windows - so developers have had no excuse for not writing "multiuser friendly" apps since about 1997. Not having an Admin user by default in XP wouldn't have broken "all" applications, although it would have likely broken a non-trivial subset.

Additionally, you have always been able to "Run As" in Windows NT (as Windows NT has always been multiuser), although it did require a "Power Toy" or the user of a commandline until Windows 2000.

Re:Something is Fishy

[ThinkFr33ly]

My blog posts are not wrong. There is a difference between graphical SUDO / the Mac OS X authorization prompt, and Vista's UAC.

The biggest difference is that Vista's UAC prompt is automated. Any attempt at doing something that requires admin access automatically results in a UAC prompt.

This is not what happens on Mac OS, and it is not what happens on Linux. In the case of Mac OS, their authorization prompt basically only appears when the user does things in the control panel, installs certain apps, or does file operations on locations they don't have access to.

In the case of Linux, most tasks that require admin access will just fail out right if you aren't running as su/root.

In both scenarios, the prompts only happen when they've been specifically coded for by the OS or application. This is fine, since the vast majority of applications written for these environments know this, and are designed with this in mind. Legacy software that doesn't play by the rules isn't an issue.

This is not the case with Windows. On Vista, a UAC prompt will happen any time any process attempts to do something that requires admin access but is not running as admin. If a crappy/legacy app calls to an API, or tries to write to a file, or whatever, and this action requires admin access, a UAC prompt automatically appears. In addition, when running as "admin" on Vista you're not really an admin (it only changes the UAC prompt so that not username/password is required).

Why would Microsoft do this if there weren't a huge body of legacy software that would simply break if it was not running as admin? It is a *fact* that UAC is a compatibility mechanism... Microsoft has repeated stated this. Not only that, but a huge part of UAC is heuristic based... so it can detect the potential for requiring admin access ahead of time. This is particularly useful with installers, control panel apps (.cpl), etc.

Sure the APIs have been there to play nice with NT-style permissions / user isolation... but Microsoft was horrible at enforcing that, even with XP. Lazy ISVs continued to do it the old way because it worked. The fact it was possible to do it the right way, or that you could "Run As Admin" has absolutely no bearing on this discussion.

Re:Something is Fishy

[Allador]

What exactly are the downsides to archiving mail in a pst, keeping a local copy for offline access, and having a copy that gets backed up to the network share on a regular basis? Downsides:

1. No backups of your PST. If its on the server, its getting backed up automatically (one hopes). At best, in your suggestion, you have to use a supplementary backup process in addition to the primary one.

2. Your mail only exists on one machine. So you cant OWA from somewhere else, and you cant easily move between your regular machine and another machine.

3. Not necessary for offline access. Outlook caches the entire mailboxes locally and transitions between online and offline seamlessly by default (since Outlook 2003).

4. PSTs are easy to corrupt. This pretty much never happens on a properly maintained Exchange server.

About the only real upside to local PSTs is that it makes an easy out if you get sued. Since PST storage is 'unofficial' and not known or monitored by the central IT, then if your company gets subpoena'd, the sysadmins just give up what's on exchange. At least theoretically, I'm not sure how well that works in practice. Attorneys are canny.

Re:Something is Fishy

[xenocide2]

Fortunately for Ubuntu, gnash is slowly improving to the point where it can display videos. If it comes to blows, I think we may recommend gnash as an alternative.

Re:Something is Fishy

[cbhacking]

Oh dear god... that's the worst serious implementation decision I've heard in ages. If it weren't for Pandora I'd probably have ripped Flash off long ago, this makes me want to do it anyway (and send Adobe an angry letter as well).

There's no really easy way to undo this setting, it seems. Clicking the Reset button in IE7's Internet Options -> Advanced tab will do it, but will generally reset a lot of other stuff too. The best info I've found on fixing this is on http://www.errorforum.com/microsoft-windows-vista-error/16233-ie7-windows-vista-configuring-your-view-source-editor.html which mentions that the relevant registry keys are at [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F5511FE-4BB1-474D-B6ED-8877567E7F36}].

I can't confirm this works on my own machine; IE8 seems to have moved the relevant keys. I'll suggest allowing easy changes to this list as a feature request.

Re:Something is Fishy

[keean]

Linux has alredy had this functionality for years: su nobody -c firefox

Re:Something is Fishy

[Kalriath]

Uh, that GUID on the end is specifically for Notepad. For Flash, the GUID is {C8CB1281-1C27-46AD-9DF5-17700E0527EF}. A "Policy" value of "3" appears to mean "don't prompt me"

Re:Something is Fishy

[drsmithy]

My blog posts are not wrong. There is a difference between graphical SUDO / the Mac OS X authorization prompt, and Vista's UAC.

Sorry, I was (and thought you were) speaking mostly in terms of the concept, rather than nitty gritty details about the implementations.

Vista certainly does more smoke and mirrors, but in concept, they are the same - the user tries to do something they don't have privilege levels for and the system automatically prompts them for authorisation (and potentially authentication).

Why would Microsoft do this if there weren't a huge body of legacy software that would simply break if it was not running as admin?

Same reason OS X and Linux do it. Because you don't want[0] to run as a high-privilege user all the time but you do (especially on single-user, home desktops) want the ability the easily and temporarily raise your privilege levels when necessary.

It is a *fact* that UAC is a compatibility mechanism... Microsoft has repeated stated this. Not only that, but a huge part of UAC is heuristic based... so it can detect the potential for requiring admin access ahead of time. This is particularly useful with installers, control panel apps (.cpl), etc.

The point is that it's not _only_ a compatibility mechanism. Of equal (and far longer term than the remaining lifetime of broken applications) importance is that is allows users to easily run with reduced privileges. In that context, whether the UAC prompts are being triggered by dedicated API calls or heuristic jiggery-pokery behind the scenes is a relatively insignificant issue of semantics.

Sure the APIs have been there to play nice with NT-style permissions / user isolation... but Microsoft was horrible at enforcing that, even with XP.

How do you propose they "enforce" it (and especially without bringing down the usual accusations of "monopoly, antitrust !") ?

Lazy ISVs continued to do it the old way because it worked. The fact it was possible to do it the right way, or that you could "Run As Admin" has absolutely no bearing on this discussion.

It does, because your blog is suggesting that running as a non-Administrator is something that's only recently been possible and (IMO) implying that because of this developers have had some sort of excuse for writing broken apps up until only a few years ago, when XP gained popularity. This is not true, and developers are 100% to blame for any program released in basically the last decade that unnecessarily needs Administrator privileges because it assumes it will always have them.

Heh, at any rate, having just looked at the Slashdot posting your blog referenced, it seems we've had some of this discussion before :).

[0] Although in practice the ignorance level of the typical end-user nullifies this principle.

Re:Something is Fishy

[prockcore]

The biggest difference is that Vista's UAC prompt is automated. Any attempt at doing something that requires admin access automatically results in a UAC prompt.

That's not true. The only thing that's automated is that setup.msi apps automatically trigger UAC when run. If I have a windows app that tries to write to Program Files, it will silently fail. It won't trigger UAC.

Re:Something is Fishy

What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?

I can't tell you specifically what in Linux prevents that, but I do know that something does. Otherwise, the same exploit would have been used to crack the Ubuntu machine as well. It wasn't, so there must be something preventing it from working.

Re:Something is Fishy

[cbhacking]

You completely misunderstood. There literally is no "ElevationPolicy" key. I found that substring in the data field of a couple of values, mostly involving backed-up data, but none of them directly involved Flash anyhow.

I'll search for that GUID, but I doubt it will help. As I said, IE8 seems to have shifted things around a lot.

Both vulns are Mac-centric

[EraserMouseMan]

It's interesting that the 2 vulnerable attack vectors are from the 2 companies that have the largest Mac user-base. Apple (Safari) and Adobe (Flash).

Re:Both vulns are Mac-centric

[xenocide2]

I'd mention something about OS9 being built on an assumption of cooperative multitasking, but Safari never saw OS9, and Flash was always designed to run on multiple platforms on top of a magical browser layer. There's nothing special about any relations you might see between OS and software here.

General Linux

[buchner.johannes]

Is there anything Ubuntu-specific about the results or can this be extrapolated to other distris?

Re:General Linux

other distris

Man I sure hope that's a typo.

Re:General Linux

Man I sure hope that's a typo.

No, it's a typi.

1 day later.

[Lulfas]

Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.

Re:1 day later.

[maskedbishounen]

Or rather, security through obscurity takes longer. Which is kind of the whole point.

Re:1 day later.

[LLKrisJ]

Although it may be true that the Ubuntu machine remained unharmed I remain with a question;

What about flash player for Linux??? The Vista machine was hacked trough a flaw in flash player, but wouldn't that same flaw potentially make the Ubuntu machine vulnerable as well???? Was flash installed on the Ubuntu machine?

This kind of info is important to judge these kinds of results.

Also, I think it is a pitty that the contest didn't restrict itself to the stock OS intsallation without 3rd party apps. Now it's just comparing apples and pears and no real statements can be made about the relative security amongst these OS's

Just my two cents...

Re:1 day later.

[Lulfas]

The first two days did exactly this. On the third day, they brought in the 3rd party apps.

Re:1 day later.

[LLKrisJ]

Yes, I noticed now, but correct me if I'm wrong then, but isn't it then useless to compare (and judge) the security these three OS's, because in the end they topple over because of 3rd party aps...

Re:1 day later.

[Oktober+Sunset]

vista did, but the mac was pwned because of Safari which is included with the OS.

Re:1 day later.

[advocate_one]

Vista doesn't come with much functionality in the first place... about all you can do with a Vista box (without installing third party apps) is browse the web, play some media files and edit some simple documents... Ubuntu comes with a whole shedload of apps installed by default...these were all there on the box from the git go...

Re:1 day later.

[Dude+McDude]

Vista doesn't come with much functionality in the first place... about all you can do with a Vista box (without installing third party apps) is browse the web, play some media files and edit some simple documents...

Windows Calendar
Windows Contacts
Windows DVD Maker
Windows Movie Maker
Windows Media Player
Windows Media Center
Windows Mail
Windows Photo Gallery
Windows Meeting Space
Windows Search
Windows Sidebar
Snipping Tool
Speach Recognition
Sound Recorder
Sync Center
Calculator
Notepad/Wordpad
Paint

Yep, not much functionality there.

Re:1 day later.

[HappySmileMan]

Yes, you're right, almost all of those fall under just browsing web, playing media files and editing simple documents... In addition to crappy voice recording, calculator and speech recognition that hardly ever works correctly.

And for example windows comes with notepad/wordpad, Ubuntu comes with a notepad equivalent, except it also has indentation and syntax highlighting for many languages.
Windows comes with paint, Ubuntu comes with the GIMP.
Ubuntu comes with Python and Perl (at least one of them anyway, maybe I installed the other one myself).
Ubuntu comes with a full Office suite for gods sake.

There are a lot more programs to exploit on Ubuntu by default.

Re:1 day later.

[c_forq]

On the other hand Webkit http://www.webkit.org/ is open source, and the Mac was exploited through Safari. So this same case could be used as an argument that open source is more easily/quickly exploited.

Re:1 day later.

[Dude+McDude]

Yes, you're right, almost all of those fall under just browsing web, playing media files and editing simple documents... In addition to crappy voice recording, calculator and speech recognition that hardly ever works correctly. Uhh no. None of the things I listed fall under "browsing the web". Media Player and Center come under "playing media files", but they do more than that; ripping CDs, managing your audio/video collection etc. Speech recognition works fine providing you a) train it before using it, and b) speak clearly (not like the mong in the "hilarious" video that was going around a year or so ago).

There are a lot more programs to exploit on Ubuntu by default. That wasn't the point I was addressing. The poster's initial statement was that "Vista doesn't come with much functionality in the first place... ". That's clearly bollocks.

I don't know about a religious platform war ....

[LaughingCoder]

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Not about the OS?

[ClickWir]

So it was a Flash exploit.... which would mean that each of the machines would be vulnerable?

I don't know the details about the sploit so I don't know if it's OS specific even though it is Flash.

Re:Not about the OS?

[LingNoi]

If that were true they would have gotten the ubuntu machine as well, they didn't so it's an OS specific vector.

Re:Not about the OS?

[Allador]

Not quite. The guy who brought down the Vista box made a point in saying that the exploit is useful against OSX and Linux as well, they just need a bit more work to tune it.

The reason you didnt see the others taken down is that this was a privately-found vuln by this company, and you can only use a vuln once. By contest rules you cant use the same vulnerability on all three systems. So they chose to target Windows.

Hierarchy of Desirable Laptops?

[dvase]

Order in which they were taken home:

First (ie. Most Desirable): MacBook
Second (ie. Somewhat Desirable): Vista
Unclaimed (ie. I'd rather not): Ubuntu

Re:Hierarchy of Desirable Laptops?

Congratulations, you win the dumbest apple fanboy of the year award.

Re:Hierarchy of Desirable Laptops?

Yeah wanting a really nice computer and probably the most expensive out of the batch is SO DUMB.

Re:Hierarchy of Desirable Laptops?

[Wavebreak]

No, trying to hack only the most desirable one would be dumb, seeing as how either of the other two are worth quite a bit on their own, and there's a rather substantial cash price in it for you as well. This gets repeated constantly, and people *still* bring the same goddamn stupid point up. No wonder you're posting as AC tbh.

Re:Hierarchy of Desirable Laptops?

[Oktober+Sunset]

Umm, lets look at the hardware, oh look, the most expensive laptop and the most powerful, and pretty tasty looking was the Sony Vaio, which was the Ubuntu one which survived. Flaw in your logic there is.

Re:Hierarchy of Desirable Laptops?

[dvase]

FYI: I actually run Ubuntu full time on my laptop, and I happen to enjoy it quite a bit!

Re:Hierarchy of Desirable Laptops?

[dvase]

A Sony Vaio you say, hmmm, that would be quite attractive. Especially compared to the Dell I'm currently running Ubuntu on.

I didn't realize that Ubuntu was on a Vaio, although I looked for a list of the hardware the systems were using on the CanSecWest site, but I couldn't find anything.

Re:Hierarchy of Desirable Laptops?

[dvase]

Never mind about not finding the hardware list, I finally spotted it, on the front page of course.

Re:Hierarchy of Desirable Laptops?

[spitzak]

The Windows and Linux were not running on identical hardware?

That is a bit suspicious. It should have been easy to make the value of the two pieces of hardware identical so a question like this does not come up.

Obviously the Apple one is harder to match.

I would very much suspect this Flash hole is cross-platform. It sounds like they got flash itself to read and return the file, not that they got it to execute some other program that did the work. Maybe the file was in the right place on the Windows machine.

Also there are some informed comments above about how the new Vista IE runs with seteuid(), something that really Firefox should do on Linux, but that Flash found a way around that, apparently by installing and auto-executing another process that had the rights to do things and to talk to the flash plugin (unless there is a bug in their seteuid and flash could execute such a process directly, but I don't think Microsoft would make such a stupid mistake). In any case really this should be disallowed, and all the other platforms and Firefox on Windows should at least try to do this as well. A bug that can wipe out my home directory is almost as bad as one that can take over the machine.

Re:Hierarchy of Desirable Laptops?

most expensive, maybe. Most powerful - hardly. The Sony Vaios are crappy machines other then their looks. No self respecting geek would or should have one.

Re:Hierarchy of Desirable Laptops?

[Oktober+Sunset]

Hello? The competition is a macbook air, and a stupid folds-into-a-tablet thing. A roadkilled squirrel with a screen could beat them.

Re:Know this: no one uses linux on desktop, no sof

[Zedekiah]

No-one? I hope you realise that you've just caused me an existential crisis!

Re:Know this: no one uses linux on desktop, no sof

[ricegf]

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.

Re:Let me get this straight

[Killerchronic]

Because then you could put an OS on it that was secure!
Doesn't state you have to keep the OS that came with it.

Re:I don't know about a religious platform war ...

[TobyWong]

Hey good for you, some of us work in industries where adobe products are the standard and running anything else will result in lost business.

Re:I don't know about a religious platform war ...

[SuperBanana]

. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well .

Given that it takes about 10 seconds to launch Adobe Photoshop CS3 (that's their heavyweight" photo product) on my dual-core laptop with "non-RAIDed SATA" laptop drive), and PDFs don't bring my system to its knees...

...I'd say there's something wrong with your laptop (or the configurations/state of its operating system.)

Re:I don't know about a religious platform war ...

[LaughingCoder]

I will hasten to point out the same holds true for Windows. Of course that doesn't necessarily mean it's great stuff -- just that it's managed to become a defacto standard.

Re:I don't know about a religious platform war ...

That's what so brilliant about linux. Evince ftw.

Know this: people use linux on desktop

[tomhudson]

Know this: no one uses linux on desktop

Really? So this must be some magical post I'm making ...

Second-rate software may appeal if it comes at no cost, but life is too short to waste and second-rate (at best) software wastes too much of it

I agree, which is why I don't "do" Windows.

I use linux at home, and linux + bsd at work.

My sister switched to an iMac, and "once you go mac, you never go back."

People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.

Re:Know this: people use linux on desktop

[Nomen+Publicus]

I stopped using Windows when Windows 98 was released and I couldn't make it do things my way. I switched to Linux, then Solaris and now both of my laptops run OpenSolaris.

I see no reason whatsoever to return to the small, shuttered prison cell that is Windows.

Re:Know this: people use linux on desktop

[ScrewMaster]

I see no reason whatsoever to return to the small, shuttered prison cell that is Windows.

Yes, but as small, shuttered prison cells go ... it is comfortably furnished.

Re:Know this: people use linux on desktop

[Almahtar]

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux. As a matter of fact, you can run IE 5.5, 6, and 7 simultaneously in Linux, making it easier for IE compatibility testing than Windows. Oh, the irony.

Re:Know this: people use linux on desktop

[HiThere]

Odd...I kept using MSWind. MSWind95. I still use it. It's on an isolated machine not connected to the net. But some programs won't run on anything else, and I STILL need those programs.

Of course I also have Linux and Mac...but Mac changed their EULA last year (or I noticed a change last year) and I won't be buying any more of them. I'm currently campaigning to get them disconnected from the net. (They are, all but one. Unfortunately, that one is the most important one.)

Take these problems (and retained old systems) as evidence that open file formats are MANDATORY. Don't buy any software that won't export files into open formats without loss.

Re:Know this: people use linux on desktop

[Walter+Carver]

IE doesn't run quite that well on Wine as it does on Windows natively. Unfortunatelly. That is the bad news.

The good news is that you can run versions 3 to 7 in Windows pretty easily! First you install IE7 and then you get MultipleIEs which installs versions 3 to 6. I am running versions 5 to 7 simultaneously! :)

Ahem...

[TheDarkener]

"How's that for fueling religious platform wars?"

Wow. I guess the story posters here really *do* like all of the "X OS is sooooo better than Y OS" comment threads. =p Flame on, SD community. Flame on.

Re:Know this: no one uses linux on desktop, no sof

[calebt3]

No-one uses Linux, and No-one is perfect. So we should try to follow in No-one's footsteps.

Newsworthy.

[Just+Some+Guy]

I haven't found the 3rd-party list yet, but was Flash also installed on the Ubuntu laptop?

Re:Newsworthy.

[Allador]

It's implied, but I cant find any specific listing on the cansecwest site. They also dont say where the file to be read was, or what the file-system ACLs were on it.

Its worthy of note that the attacker that took down the Vista box claims that its only a few hours of work from being successful against OSX and Linux as well. Not substantiated, but claimed.

Re:Know this: no one uses linux on desktop, no sof

[Oktober+Sunset]

Well, anyway, sorry to have fed the troll. As long as you don't feed the squirrels.

You want FoxIt Reader.

[davemw]

I gave up using Adobe Reader a while back, after finding Foxit Reader, which despite a few small annoyances, is about a million times faster at startup and rendering. It has no browser plugin, but in this day and age I see that as a good thing (you *do* remember the Acrobat javascript vulnerability from last year, don't you? :)

Re:I don't know about a religious platform war ...

[popmaker]

xpdf? Hey, at least it's easy on the PC!

Re:I don't know about a religious platform war ...

[Fweeky]

It brings any machine to its knees as it consumes every available resource while rendering a simple document Not seen that. I did try FoxIt Reader when I found a rather complex pdf of a world map of submarine optical fibre connections was rendered painfully slowly, but FoxIt was even slower. I upgraded to Adobe Reader 8, and now it's actually fairly smooth; something that'd take FoxIt or Adobe Reader 7 a good 3-10 seconds to render will take under a second and once drawn, scroll smoothly.

At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.

Do we need to define troll?

[OMNIpotusCOM]

This is a troll because it's true? The winner took home the lappy they cracked. I'm guessing it went in order of resale and/or pure value. Sometimes "Desirability" and "value" are the same. If it's a troll from the "I'd rather not", fine, but I still don't think that negates the overall value of the comment.

Re:Do we need to define troll?

[HappySmileMan]

THey'd be hacking whichever one they could hack first, not whichever one they wanted most, because there was a cash prize of $20,000 for 1stday, 10,000 for 2nd day and 5,000 for 3rd day.

I think these hackers would be smart enough to realise that getting a Macbook over a laptop with Vista on it is not worth losing 5000-10000 dollars just because they prefer to use a Mac. They did it because it was easiest for them to hack and overall they won the most.

If Vista really was less secure than Mac the guy would've hacked it and won $20,000 instead of $10,000, unless the Macbook was $10,000 more expensive(which I could understand considering Apple are an even bigger ripoff than Microsoft) he would've been very stupid.

Re:I don't know about a religious platform war ...

[Hatta]

Then why do you use it? For PDF reading theres Sumatra or Foxit. There are many photo editing suites. If you just use Elements then the Gimp should be plenty. And Flash is useless. So for your purposes, why bother with Adobe software at all?

Re:Let me get this straight

[Divebus]

The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 Cue the trolls: "See? Macs ARE more expensive!"

Different hardware, different incentive?

[Killer+Eye]

I've been a little suspicious of this contest simply because of the different hardware prizes. It is possible that a hacker's motivation for the contest is driven by the nice hardware of the machine, and *not* the OS running on it. In other words, of course they're going to try to hack the nicest machines, and every system has holes (regardless of record), so it isn't necessarily news that "nicest machine was hacked first".

Not that it's easy to level this particular playing field, but you could argue that at least the Vista and Ubuntu machines can run on exactly the same type of laptop. Maybe even "3 MacBooks running VMware" would still be considered fair for testing the built-in strengths of all 3 operating systems. The idea is to take away the hardware incentive, so the results are more interesting.

Re:Different hardware, different incentive?

if you had rtfa, you would know that there are also a couple thousand dollars in the game.

Re:Different hardware, different incentive?

[Killer+Eye]

I did read it, I know there's money awarded. But it's the *same* money regardless of which machine is taken over, so (as I said) this leaves the type of hardware as an incentive to favor one OS target over another.

Re:Different hardware, different incentive?

[Gadget_Guy]

You are forgetting that the winners were both from computer security firms. I would imagine that they would already own so many computers that the prize would be just a drop in the ocean. It would certainly be insignificant compared to the value of the PR that their security firm would receive by winning the competition.

According to the rules of the competition, the judges randomly allocate the timeslots for each of the computers to the competitors. This means that all of the computers were being attacked simultaneously and there wasn't a great rush for just one of the machines.

The rules also state that "You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue". It would be interesting to see whether the Ubuntu system was really immune to this exploit after all. However, it is reassuring that it took 7 hours for the system to be hacked. I thought that it would fall a lot faster than that!

Re:Different hardware, different incentive?

[LingNoi]

If you RTFA you'd realize that the Sony machine running Ubuntu was the most expensive and wasn't cracked.

Re:Different hardware, different incentive?

[HappySmileMan]

It's $20,000, $10,000 and $5,000 for day 1, 2 and 3 respectively...

If they went after the prettiest laptop instead of the easiest one to hack they could lose $10-15000, so I think this offset a laptop being maybe $100 more expensive.

Re:Different hardware, different incentive?

[xenocide2]

Sure different hardware. And a much different kind of fame. Would you rather check the email INBOX for Dave the guy who broke Vista SP1, or Dave the guy who broke Ubuntu? The same guy hits twice. He says it should work on Ubuntu. Vulnerability research comes at a price, and there's not as big a market for Linux vulnerability experts, and open source has a lot to do with it. You could write some special stack protection or hack prevention software and try to sell it, but once you demonstrate it works, any of your customers could hire someone to re-implement it in the kernel or compiler or wherever the magic happens. Some groups take a source analysis approach, but they still suffer from the same fundamental manpower problems.

Imagine he had been able to break a massive system in Ubuntu or Vista, and there were dozens of companies after Ubuntu breakers specifically. Would you still pick Vista because you liked the hardware marginally better? I'd be curious to see how many people signed up to attack each platform. That'd be a much better dataset than this one guy ;)

Great, round's on me

[newr00tic]

You harbor the same good tastes, Sir, and cheers to you too, aswell as to the original poster.

Not useless

[xant]

It's not useless. It just shows that things are improving at the OS level. I'm not surprised by this.. XP SP2 was a pretty substantial step in this direction, and OS X has made substantial strides as well (not that anybody's noticing). Seems like Vista did in fact improve in this area as well. So yes, if you're talking about the kernel and the stock OS, it's getting harder to compare security, because they are all much more secure than they ever were before.

So the game has changed. The contest rules here have also changed, to reflect the new game. They built in the day-3 rule changes so that more exploits would be possible, to keep the contest interesting, knowing in advance that hacking the stock OS would be pretty hard.

It's not just the stock OS security that matters, it's the security of the entire stack, and the software ecosystem it lives in. Give Microsoft and Apple credit for improving their cores, but you can still say Ubuntu has a better stack and ecosystem, and point to the same reasons why: open source, community testing, heterogeneity.

Re:Know this: no one uses linux on desktop, no sof

[surfi]

and it's not only people using linux at home, we use it in our company too. some people were not very enthusiastic with the move, but everything works better now and maintenance costs are A LOT lower. no wonder that governments and large enterprises around the world are switching to linux

How's that for fueling religious platform wars?

[QuietLagoon]

Ho-hum....

Re:Know this: no one uses linux on desktop, no sof

[spitzak]

"no one uses Linux on the desktop"

BZZZT! Wrong. I have proof that at least one person uses Linux on the desktop. Unless maybe I am a figment of your fertile imagination.

Sandbagging?

[joetheappleguy]

Same 2 guys win by cracking the same platforms they won on last year.

I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.

Re:Sandbagging?

[pembo13]

It was Vista Sp1

Re:Sandbagging?

[pavera]

wrong, the guys who cracked vista this year cracked OS X last year. They didn't crack the same platforms.

Re:Sandbagging?

[plasmacutter]

If they saved the exploits and didn't report or release them at all (which is in their financial interests) then they would not be patched in SP1

Google tried an alternative

[Ambidisastrous]

Good call. I remember Google trying to do some VLC-based thing to portably embed videos, but eventually giving up and going with Flash for Google Video. Then they realized they were just playing catch-up with YouTube and did the logical thing.

Which makes it even more disappointing that Ogg Theora didn't make it into the HTML5 spec. There still isn't a good, portable way to do video in a browser without relying on plugins.

Re:Google tried an alternative

[skymt]

Which makes it even more disappointing that Ogg Theora didn't make it into the HTML5 spec. There still isn't a good, portable way to do video in a browser without relying on plugins.

The <video> element is still in the draft, it just doesn't specify what codecs or container formats should be supported.

Re:Know this: no one uses linux on desktop, no sof

[c_forq]

But No-one trespassed into my house and broke my mom's favorite vase! Surely you don't want us all to break into houses and break stuff!

WHERE THAT BEER YOU PROMISED!!!!!

[gsgriffin]

It took me the better part of an hour to read through all that, and I was only reading because you mentioned beer at the beginning. Who cares!! Where's my Heineken!!!! This kind of discussion always goes better with beer. At least you can throw your bottle on the ground and have it break to make your point seem to matter. Apple. Crash Different!

Re:WHERE THAT BEER YOU PROMISED!!!!!

[gerddie]

Where's my Heineken!!!!

I thought you wanted beer ...? May I suggest a Wernesgrüner or a Radeberger?

Re:WHERE THAT BEER YOU PROMISED!!!!!

[gsgriffin]

This is my only problem with \. They only put up stories about technology that they feel is important. What about the technology behind good lagers and beers?!?! I mean, the real genius is found in cracking hops not MACs. I want to find solutions to hacking the code behind some of the most popular Ale's formulas, not Dlls. This will also diversify our discussion a little more since there are no good beers in America.

Re:I don't know about a religious platform war ...

Hey man,

I suggest you download FoxIt Reader (PDF), and set that as your default program for PDFs. Super fast loading.
Alternately, you can also run Adobe Acrobat 5 (OldApps.com)
I have yet to encounter a PDF I couldn't open with Acrobat 5.
[funny, that after installing Acrobat 5, Adobe actually says "Thanks!"
These days, the SOBs just get pissed off at you for not installing the latest Roomba USB WoodChuck Monitoring System Tray Icon. Assholes]

As to Elements, I am about 3% into graphics (not my thing), but for that, Paint .NET is GREAT!
I know, I know... its from M$. Still, great program.

Re:Let me get this straight

[Eunuchswear]

he laptop isn't insecure

Oh, I don't know - the apple one probably has a firewire port.

Re:Know this: no one uses linux on desktop, no sof

[calebt3]

I bet it was No-one's sibling Not-me or He-did-it that broke the vase and framed No-one.

Re:I don't know about a religious platform war ...

[HappySmileMan]

As to Elements, I am about 3% into graphics (not my thing), but for that, Paint .NET is GREAT!
I know, I know... its from M$. Still, great program. It's not from microsoft, it's an open-source program that's supposed to recreate (and greatly improve) paint.

Re:Let me get this straight

[iminplaya]

For some time now OS of personal computers does not reside in ROM and can be changed to a different one with ease.

But that's what makes them so insecure... I think that the best way to secure your machine is to put the OS, and your documents on some kind of... plug-in cartridge, if you will.

Re:Let me get this straight

[iminplaya]

Why would you want a laptop that you know is insecure?

You can put your weed in there

Re:I don't know about a religious platform war ...

[Kalriath]

As to Elements, I am about 3% into graphics (not my thing), but for that, Paint .NET is GREAT!
I know, I know... its from M$. No it's not. It's from Rick Brewster, of dotPDN, LLC.

Pints in america are a bit smaller

[jscob]

Well not really, but in most bars if you order a pint of Guinness or any other beer you actually end up with a 12oz glass. It's nice to actually run across a bar that serves actual pints. I've had friends argue that I'm wrong about them being poured a 12oz beer from the tap until I tell them to order a bottle of beer and pour it in the glass. Another trick bars like to do is pour shots into a big shot glass. People are impressed until they realize that the bottom and sides of the shot glass are so thick that they are getting a shorter pour than a 'real' shot glass. As for me, I'll take a bottle of La Fin du Monde if I can't get a pint of Guinness.

Re:Pints in america are a bit smaller

Well not really

Actually, you were right: pints in America are smaller. An American pint is only 80% of a real pint. Probably because American beer is so foul that nobody would want a whole pint of it. (I hear it's even served as cold as possible - again, that has the beneficial effect of suppressing the flavour, which at proper beer temperature, i.e. room temperature, would be absolutely disgusting.)

No prizes for guessing where I live. ;)

Re:Pints in america are a bit smaller

[mollymoo]

Where do they serve beer at room temperature? Cellar temperature, sure, but room temperature? In summer? Everything tastes like piss when it's at 28 C. Well, except cheapo supermarket 2% bitter, which in normal life is probably about as close to the "warm beer" us Britons used to drink as I've encountered. That's actually no less vile when warm than when cold. Perhaps I'm wrong and you can get delicious ale at refreshingly low strengths somewhere in the world, if so I want to know about it. Once you get up towards 4% it needs to be below room temperature (but never actually cold, of course).

10 Things to Remember About CanSecWest

[DECS]

"The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple "Mac Shot First" headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

"The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."

10 Things to Remember About CanSecWest and Software Vulnerabilities

Ubuntu and OS/X also vulnerable to Flash exploit

[benjymouse]

According to Dan Goodin of The Register, reporting from Vancouver: http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

Macaulay was the guy who took home the Vista laptop.

So, he confirms that it was not a specific Vista vuln, but a generic Flash vuln. To bypass the extra security of IE7 on Vista (protected mode) the vuln have to be in the broker process (a.k.a. the flash "helper" process).

The ONLY reason ubuntu won

[goombah99]

I note that Windows and Mac can run firefox too. The ONLY reason that ubuntu won is because it can't run Safari, or IE.

My kid's pretend Leap-frog computer also can't run a browser or even connect to the internet. Clearly it is much safer than ubuntu.

Re:The ONLY reason ubuntu won

[fonik]

That leapfrog trades a lot of features to gain that security. Since Firefox doesn't sacrifice features... well, yeah, it really IS better.

Re:The ONLY reason ubuntu won

[goombah99]

That leapfrog trades a lot of features to gain that security. Since Firefox doesn't sacrifice features... well, yeah, it really IS better. Well duh, thanks for restating my point. The point is Apple and MS can run firefox too.

Next contest, identical hardware

[alispguru]

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Clearly, then, next year they should eliminate that factor by running the three different OSs on the same hardware. I believe the only platform they could legally use would be Macs. ;-)

Re:Know this: no one uses linux on desktop, no sof

[arikol]

Yeah the Mac is the most desirable and should therefore get the most attention. That said it probably does not surprise anyone that it was accessed through a Safari vulnerability, Safari just isn't good enough.

It's good to see that Vista isn't all bad (just like seeing the statistic that Nvidia drivers caused 28% of all Vista crashes).
Personally I prefer the other two OSs anyway (and don't use Safari). MacOS is nice and Ubuntu is reliable, if a little rough around the edges.

False: my 65 year old mother buddy!

[plasmacutter]

Recently after my mother had her umpteenth problem with windows I offered her another solution.

I didn't tell her it was an alternative OS, didn't include any technical jargon at all. I just said im going to try something different this time.

First comment i got was "it's different", but then I heard a satisfying "but quite usable".

She has not had a single problem since.

the linux community welcomes one of its older users : )

Re:Let me get this straight

[ceejayoz]

It was a Macbook Air, so no, it didn't.

How To Run FireFox in Low(er)-Privelege Mode

[snikulin]

As a user of MSVS2005 I have to run as admin on my Vistax64 workstation (and yes, my programs have to have admin rights too).
I prefer FireFox to IE7 (mostly because of on-screen search).
Sure, I don't like to run FF in admin mode, so I have changed all my links to firefox to

runas.exe /trustlevel:0x#### "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

On my PC "Basic User" trustlevel is the lowest level (use runas /showtrustlevels to find out your lowest level, in my case it's "Basic User").
In this mode on my PC FF can not write anything outside of my home folder or chowned folders, e.g. it can't write to root (I can, as Admin).
I believe IE7's privilege is still lower then the above method.
But hey, every little helps!

Re:How To Run FireFox in Low(er)-Privelege Mode

[Allador]

Just out of curiosity, why dont you just log into your desktop as non-admin, but then run vs2005 with runas?

Yet another reason not to run Flash

[Phil+Urich]

My subject line says it all, but I'll repeat it again: yet another reason not to run flash. This is why on my 64-bit Kubuntu machine I don't have flash installed on anything other than a 32-bit version of Firefox which I only load when there's sites I absolutely have to use Flash for (like some manufacturer websites such as Linksys). Otherwise I browse with 64-bit, flashless Konqueror.

Re:Ubuntu and OS/X also vulnerable to Flash exploi

[houstonbofh]

He was trying both the Ubuntu system and the Vista system at the same time. The Ubuntu system stood. Could be because flash runs in less privileged space on Ubuntu than on Vista.

Maybe it was becuase...

1) MacBook air was the most insecure and therefore got broken the quickest
2) Everyone wanted the laptop running Vista Ultimate and therefore was a bigger target and everyone tried hard to get in
3) No one was interested in having an Unbuntu based laptop

LOL :)

Bollocks.

[Whiney+Mac+Fanboy]

Uh-oh, you've linked to roughly drafted - the least credible & most poorly thought through blog around.

I can't be bothered refuting each of the ten points in the article, I'll just do the first:

1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest.

This is complete horse-crap. Zero day exploits for mac have a good deal of value - there may not be many mac users, but a zombied mac is typically far more useful than a zombied windows install due to the unix-like nature of the O/S.

Please don't link to roughly drafted in future. That blog is an embarrassment.

Re:Bollocks.

[DECS]

Everyone on slashdot knows you are an anti-Apple troll, as both your sig and username suggest.

Everyone also knows that I'm the author of RoughlyDrafted, as you yourself do despite your disingenuous hypocrisy. Here's something you might not know: pretty much every fan letter I get comes from somebody with a sig suggesting experience, background and an education beyond mine: PhDs, artists, military officers (seem to be well represented). Yet they note appreciation for the facts I put together and the opinions I present based on rational ideas. Sure, readers don't always agree with everything I have to say, and they are free to note their own opinions in my comments.

I get a few fan letters every day, along with some PayPal donations. I have about 15,000-20,000 unique visitors every day, not because of sensationalist headlines posted to Digg, but because about a third have subscribed to my RSS and read it regularly, a third come from direct links on sites that find it link worthy, and another third comes from Google due to my having lots of external links on my articles. I am not a corporate media site like Wired, Engadget, Gizmodo, or the CNET/ZDnet blogs, and I'm not a blurb aggregator. I write original content in a long form that visitors spend a significant amount of time reading.

The only people who really take any issue with any of the things I've written are anonymous cowards such as yourself and the vast diggtard hoard of mouth breathing, profanity laced, name calling group thinkers who assail me for various things, including exposing the misleading sales numbers of the Xbox 360 (unit sales were down roughly 30% year over year in 2007; nobody dare say it except for me) and outing the historical revisionism Windows Enthusiasts are working to write into Wikipedia articles.

It is impossible for me to be offended by your insults, because you have already positioned yourself among these morons with your emotionalist claptrap. There isn't much you could say that would penetrate the jail of intellectual contempt I have created around you to encase your raving bullshit.

As for your lone attempt to present a real argument, please let us know where the market for Mac viruses and exploits is, and who is going to make any money off that. Also, please fill us in on what you think it means to be a zombie, because a zombie process has nothing to do with being part of a Windows botnet.

On second thought, just keep quiet as we've heard enough ignorance from you already.

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security

Re:Bollocks.

[Whiney+Mac+Fanboy]

Everyone also knows that I'm the author of RoughlyDrafted,

Jeepers - are you? And you admit it? In public?

please let us know where the market for Mac viruses and exploits is,

Well, there's a Safari exploit being auctioned right now.

But really, the vast majority of exploits to hit OS X won't be OS X specific - but belong to other projects, like Apache, SSH, Samba, etc. This is because OS X sensibly uses open source to do all its heavy lifting security wise.

Also, please fill us in on what you think it means to be a zombie, because a zombie process has nothing to do with being part of a Windows botnet.

You're a dumbass.

Admittedly, (presumably) you're an OS X user, so you're less likely to have experience with zombies, but you'd think you'd at least do a simple google search before attempting to correct someone.

Re:I don't know about a religious platform war ...

Foxit reader, bloody fast PDF reader on windows, great for internet usage since it starts up so fast.

Re:Ubuntu and OS/X also vulnerable to Flash exploi

[benjymouse]

Wrong. It is the other way around. Flash runs in a less privileged space on Vista. Please check your facts instead of just assuming. On Vista, IE and all plugins (ActiveX) runs as a low privileged user account which do not have access to write anywhere except for a secluded cache. On Ubuntu FF and all of its plugins runs under the user account which launched Firefox; which means *you*. If anything, Ubuntu is *less* secure in this regard. If you read the article I linked to at The Register you will note that the winner said that he would have been able to pull this off on any of the operating systems. Ubuntu (nor OS/X) is in no way immune to this attack. Now, how did he pull it off? Because Adobe/Macromedia in their wisdom decided they needed escalated privileges (I really don't know for what reason) for some tasks. Because the plugin cannot break out by itself they designed a "broker process" which runs as the currently logged on user. This process talks to the browser plugin and performs privileged tasks on behalf of the plugin. The vuln this guy found was in this broker process. Adobe is the culprit here. Flash is a POS, securitywise. Check secunia, virtually *all* of the vulns have been "critical" and virtually *all* of them has been multi platform.

up above, somebody mentioned a helper process

[reiisi]

which runs at elevated levels or something.

macromedia (now adobe) not willing to play by the rules.

Whether the rules are appropriate or not is another discussion ...

nobody less secure than random user?

[reiisi]

Ouch. My head hurts.

But, possibly so, depending on what else runs as nobody on your system.

known exploits

[reiisi]

I think there was something in the rules about not using known exploits.

Which sort of bugs me, because it means they basically found the exploit some time ago and sat on it.

Also, I'd like to see the first day repeated with known exploits allowed.

Is it too late to say mod parent up?

[reiisi]

the result is "MacOS X - not secure; Windows Vista - not secure; Ubuntu Linux - no result".

You could also call it a test of greyhat skills.

[reiisi]

:-/

--
they want me to say something

Walk around the wall and there's nothing.

[reiisi]

heh.

What? the half-biba is implemented in ie7?

[reiisi]

har.

And you get mod points for this.

I assume you've read about the helper app at this point?

Walled gardens, indeed. Like I said yesterday, they are a "good" place for date rape, if you are into that kind of thing. And for being spied on by your date's little brother or the butler or random passersby.

(No, Linux is only a little more effective in the present iteration, not significantly.)

I have to say, though, I'm wondering if it was the helper app, because that ought to have been considered a known vulnerability.

ms9x not baggage?

[reiisi]

What are you saying?

You want to depend on somehow magically detecting admin operations?

Are you saying that my Fedora box doesn't prompt me for the root password when I try to start up the logical volume manager as a non-root user? Or the Mac doesn't prompt me for an admin username/password when I try to update the OS or write to a directory I don't have permissions for (even if I'm running as an admin user)?

(Well, I'd sure like the Fedora box to prompt me for an admin password instead of root. Maybe in FC 9.)

Am I misunderstanding you?

I'm trying to remember.

[reiisi]

What version of IE runs on NT3?

Flash or Java?

Anyone know why CIO is reporting that Java was the cause of the problem, not Flash http://www.cio.com/article/324313/With_Vista_Breached_Linux_Unbeaten_in_Hacking_Contest?

Re:Ubuntu and OS/X also vulnerable to Flash exploi

[mhall119]

The Register you will note that the winner said that he would have been able to pull this off on any of the operating systems. Ubuntu (nor OS/X) is in no way immune to this attack. Now, how did he pull it off? Because Adobe/Macromedia in their wisdom decided they needed escalated privileges (I really don't know for what reason) for some tasks. Because the plugin cannot break out by itself they designed a "broker process" which runs as the currently logged on user. This process talks to the browser plugin and performs privileged tasks on behalf of the plugin. Does the linux version of Flash require such a "broker process"? Since, as you mentioned earlier, Firefox on Linux already runs with full user permissions, perhaps there is no broker process to exploit. Also, it may be that the exploit used the broker process to pass unsanitized commands to the Win32 layer, where the actual vulnerability existed, in which case the hacker would have to find a comparable vulnerability somewhere else in Linux where a user process can gain extra privileges.

Of course!

[LinuxLlama]

Its common knowledge that Linux is more secure than most other operating systems. If you are a normal user on Windows, you have no rights. Its pointless. But on Linux, you can be a normal user and still do a lot of stuff.

Re:Ubuntu and OS/X also vulnerable to Flash exploi

[houstonbofh]

First, it is tough to check the Vista facts as; 1) I don't have a copy, and 2) Microsoft doesn't document the inner workings of security.

If you read the article I linked to at The Register you will note that the winner said that he would have been able to pull this off on any of the operating systems.

I did read it. And I have a 12 inch cock. I said it, so it must be true. I am not saying Ubuntu is the be-all end-all of security. Just that it stood while Vista fell.

Re:I don't know about a religious platform war ...

[Walter+Carver]

If you are running Windows get Foxit Reader. It's as fast as Notepad. If you are on Linux, xpdf it very fast too.