Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

Newsworthy?

[MisterFuRR]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

Re:Newsworthy?

[call-me-kenneth]

Hint: script kiddies don't tend to have 0day in the real world.

Re:Newsworthy?

[try_anything]

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here).

Users follow the normal path of least resistance established by the platform. Users' first tendency is to use the apps that are installed by default, which means mostly open-source apps on Linux and closed-source apps on Windows. When an appropriate application isn't installed, consumer-targeted Linux distributions help steer users toward good open-source applications. Under Windows, you usually end up installing a closed-source application suggested by a web site. Windows application security depends not just on closed-source software but on users' ability to evaluate the credibility of web sites and spot spoofed web sites (like the ones used for phishing, but used for distributing malware instead). Under Linux, those skills are still important, but since the normal method of installing software is to download packages maintained by the distribution, users will be more likely to pay special attention when installing software from other sources.

In sum, what this means is that Windows systems depend heavily on closed-source software and the judgment of individual users, both of which are less secure than the community-oriented "more eyes" approach taken by open-source Linux distributions.

What did you expect?

[lilomar]

So Linux is more secure than Windows? What else is new?

Re:Popcorn anyone?

[call-me-kenneth]

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

1 day later.

[Lulfas]

Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.

I don't know about a religious platform war ....

[LaughingCoder]

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Re:Know this: no one uses linux on desktop, no sof

[ricegf]

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.

Re:Popcorn anyone?

[SpzToid]

I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.

Re:Something is Fishy

[Rary]

This says absolutely nothing about Vista security.

Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

Re:Let me get this straight

[Divebus]

The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 Cue the trolls: "See? Macs ARE more expensive!"

Re:Something is Fishy

[ThinkFr33ly]

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

See the following: background info, and most of this post deals with UAC.

Re:Hey!

[morethanapapercert]

Errr. know of any site using Flash for something useful?*

*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars

Re:Something is Fishy

[david_thornley]

Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.

Re:Software sucks.

What's so dumb about pointing out the pathetic state of software security and the incompetence of programmers?

Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?

I guess comments like yours explain exactly why our software sucks.

Re:Something is Fishy

[recoiledsnake]

I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com

Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.

From the linked article:

Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.

Re:Software sucks.

[robo_mojo]

While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.

Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.

Software will suck as long as speed is more important than correctness.