Slashdot Mirror
Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
It depends what kind of exploit that was.
I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.
So Linux is more secure than Windows? What else is new?
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)
Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.
... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.
The more you regulate a company, the worse its products become.
The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)
Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".
And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)
Well, anyway, sorry to have fed the troll.
I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).
So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.
You can't be ahead of the curve, if you're stuck in a loop.
Really? So this must be some magical post I'm making ...
I agree, which is why I don't "do" Windows.
I use linux at home, and linux + bsd at work.
My sister switched to an iMac, and "once you go mac, you never go back."
People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...
Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.
No, trying to hack only the most desirable one would be dumb, seeing as how either of the other two are worth quite a bit on their own, and there's a rather substantial cash price in it for you as well. This gets repeated constantly, and people *still* bring the same goddamn stupid point up. No wonder you're posting as AC tbh.
Nobody expects the British Columbia Human Rights Tribunal.
No-one uses Linux, and No-one is perfect. So we should try to follow in No-one's footsteps.
Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Proof that we're getting too old for Slashdot.
Get these n00bs off my lawn!
-Billco, Fnarg.com
At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.
Most of the stuff on
-JD
Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.
See the following: background info, and most of this post deals with UAC.
*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What's so dumb about pointing out the pathetic state of software security and the incompetence of programmers?
Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?
I guess comments like yours explain exactly why our software sucks.
and it's not only people using linux at home, we use it in our company too. some people were not very enthusiastic with the move, but everything works better now and maintenance costs are A LOT lower. no wonder that governments and large enterprises around the world are switching to linux
It's been in there since the beginning of Vista. It's part of UAC.
Same 2 guys win by cracking the same platforms they won on last year.
I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.
What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?
UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com
Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.
From the linked article: Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.
My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.This space for rent.
What are you talking about? Browsers and their plugins have access to everything. Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. How is this limiting browser access to the temp directory? If a simple scriptlet can do that, its not like you say. Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. One could exploit that to create a faux driver and do malicious activity with it.
"The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple "Mac Shot First" headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.
"The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."
10 Things to Remember About CanSecWest and Software Vulnerabilities
Actually, I'd say you've got it backwards.
On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.
But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.
Which makes me wonder if this attack was via Flash on Firefox, which would be much more vulnerable to this type of disclosure attack than Flash on IE (as long as the site wasnt in Trusted Sites on the IE).
Now mind you, some of the mandatory acccess control packages on linux systems can strongly mitigate this, much like IE7 on Vista. I cant say whether these would apply to Firefox, say, on a typical Linux distro though.
Didn't think so..
While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.
Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.
Software will suck as long as speed is more important than correctness.