Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

What kind of exploit?

Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"


It depends what kind of exploit that was.

Re:What kind of exploit?

[kesuki]

well, firefox updating the day before a hacking contest would indeed make the ubuntu platform (the only one where firefox is default) the most secure, but one would think that if firefox is going to play that way, that Microsoft would release any patches they had in development the day before too, to be on the same playing field.

the fact that apple got cracked first, and presumably in a safari exploit shows that apple does not have the kind of security resources of either firefox (supported by aol, and google) or Microsoft can bring to a competition. Since the Microsoft vista system was taken out by an adobe vulnerability, and I often hear of adobe products having security holes, they might be in the same kind of boat as apple when it comes to releasing security patches.

Re:What kind of exploit?

[kesuki]

I realize this is slashdot, so for those who didn't read TFA the contest was to in a 30 minute attack slot, read the contents of a specific file, in a specific folder. each day different exploits could be tested, but only popular software that is normally installed counted.

day one were pure network attacks nobody got in on day one. day 2 was email and url based attacks. only the mac got won on day 2. on day 3 you could add non default but popular software from a list (couldn't find the list anywhere on the net, sigh) and adobe flash was vulnerable, so the vista machine got taken.

Ubuntu held up for all 3 days, but because only popular and default software could be added, this could bring a false sense of security. there are many ways to 'design' a supposedly open source software package on say, sourceforge.net but to have a compromised binary that was made with slightly altered source code... to get a trojan on a linux system. repositories tend to be fairly well monitored, but there have been times where applications that are trojans have gotten into widely used repositories. as far as i can tell, sourceforge has no real method for testing if software contains trojans or not, so it's purely up to the community that uses sourceforge to report bad software, etc. i imagine that freshmeat is the same, and many many linux users use sourceforge or freshmeat to find specific linux applications they need or want...

maybe there aren't enough linux users yet to make this a huge issue, but with Microsoft's brand image going south (kinda the way IBMs did in the 90s) linux is sure to be finding more and more people who would rather deal with OSS than with bill gates.

Re:What kind of exploit?

[Allador]

The interesting thing here is that if the Flash vuln was running on IE, it should have been ineffective against the OS, unless somehow the Flash executable somehow creates an escalation vulnerability in the OS (which obviously is silly).

I wonder if Flash was attacked via Firefox, or in some other fashion. Through IE, running as a non-admin and with the IE7 on Vista sandboxing, any vuln in flash should have been pretty useless in owning the OS.

I wish there were more details posted.

Also interesting that the folks who took down the Vista box said its a couple hours of work from this being effective against OSX and Linux as well.

Popcorn anyone?

[cizoozic]

How's that for fueling religious platform wars? Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!

Re:Popcorn anyone?

[garett_spencley]

"Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

What kind ?

And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!

Re:Popcorn anyone?

[nofrak]

To celebrate the winner, may I suggest free beer?

Re:Popcorn anyone?

[call-me-kenneth]

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

Re:Popcorn anyone?

[tzot]

(What kind of beer?) And if you say a light North American lager [snip]

He said he'd bring the beers, not that he would make love in a canoe ;)

Re:Popcorn anyone?

[MikeDX]

How on earth is this offtopic?

The Monty Python joke goes along the lines of, "This lager is like making love in a canoe - it's fucking close to water"

Re:Popcorn anyone?

[SpzToid]

I am not a software engineer or hacker, but from what I understand, while it may be likely the vulnerability exists across platforms, typically it is the Microsoft box that often allows elevated access, once the Flash exploit has been used. This isn't so easy to manage for a hacker, with the *nixes, (which includes OSX).

So by not using Windows, users are made more secure by not being such a targeted pool in the first place, (as influenced by marketshare). But the design of the OS helps too.

Re:Popcorn anyone?

[Zero__Kelvin]

"What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"

It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."

Re:Popcorn anyone?

[domatic]

Ubuntu 8.04 will include AppArmor by default. I don't how much of a difference it will make in a pressure cooker like a hacking competition though.

Re:Popcorn anyone?

[phantomfive]

There's no religious war here. Ubuntu is clearly the best.

Re:Popcorn anyone?

[Almahtar]

No. You make the pop. That is your role, and you will accept it.

Re:Popcorn anyone?

[VertigoAce]

Actually, IE on Vista runs with fewer permissions then a normal User account by default. It runs as a low-integrity process. This means that it loses access to most of the user's files (it has access to things like the temp directory for storing cookies, cache, etc.). See MSDN for details.

Re:Popcorn anyone?

[catmistake]

Like I keep saying, Adobe is the new Microsoft. I call Flash the third great scourge of the internets, after spam and malware/virii. Flash needs to be reigned in before it turns every site into a blinking, broken monstrocity. I'm rooting for our hero Ajax to qwell the desire to over use such ugly, proprietary technology. I'd rather view unformatted txt pages than give up processor cycles to this decadent and invasive POS.

Re:Popcorn anyone?

[Cheerio+Boy]

Proof that we're getting too old for Slashdot. Get these n00bs off my lawn! You must be new here.

Re:Popcorn anyone?

[dpilot]

Clearly the way to rein in Flash is with Silverlight, then.

This thread IS for religious wars, isn't it?

Re:Popcorn anyone?

[YaroMan86]

Actually, AppArmor was included by default in 7.10.

Re:Popcorn anyone?

[doxology]

8.04 will include SELinux, I think... AppArmor is already available afaict.

Re:Popcorn anyone?

[drsmithy]

Well on Windows, sandboxing of permissions is different. There might still be the exploit but the level of vulnerability would most likely be higher on a Windows system as a result of IE running at a SYSTEM level permission rather than a USER level like in Mac or Linux. Change to a different browser like Firefox on Windows and you will be safer.

IE does not, and never has, run as SYSTEM. Prior to Vista it runs as the user who starts it. In Vista it runs with privileges lower than a regular user.

I realise Slashdot is as anti-Microsoft as they come, but it's still surprising to see the same FUD about IE still being spewed 10+ years after it was shown to be false.

Re:Popcorn anyone?

[nuOpus]

What are you talking about? Browsers and their plugins have access to everything. Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. How is this limiting browser access to the temp directory? If a simple scriptlet can do that, its not like you say. Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. One could exploit that to create a faux driver and do malicious activity with it.

Re:Popcorn anyone?

[drsmithy]

So, prior to Vista, when it ran as the user who starts it, given that over 90% of the cases the default user has complete and unlimited access to the system files, how is running as user different from running as SYSTEM? (And, yes, I pull that "90%" figure out of my arse---but I'll bet it's higher.)

Firstly, because SYSTEM and Administrator have different privilege levels.

Secondly, because there is a vast gulf of difference between the statements "IE runs as SYSTEM" and "IE runs as the user, which is sometimes Administrator, and I think that Administrator and SYSTEM are the same". One is a (serious) architectural problem, the other is an end-user configuration problem. Trying to say they are equivalent is at best ignorance and at worst lying.

Finally, while most home systems would certainly be running users as Administrator, most managed corporate systems would not. 90% is a ridiculous over-estimate of how many XP systems only have "Administrator" users.

Re:Popcorn anyone?

[Allador]

Actually, I'd say you've got it backwards.

On a typical Linux distro, the web browser runs as the same user/privs as the person using the desktop, so anything that can cause the browser or browser-plugin to reach outside of the app's sandbox can quite easily read/write to anything on the box that the desktop user can read/write to/from. Same for WinXP.

But on Vista using IE7, this is very much not the case. Even if you completely pwn the browser, its running as a user process that has almost zero ability to write or read anywhere on the file system.

Which makes me wonder if this attack was via Flash on Firefox, which would be much more vulnerable to this type of disclosure attack than Flash on IE (as long as the site wasnt in Trusted Sites on the IE).

Now mind you, some of the mandatory acccess control packages on linux systems can strongly mitigate this, much like IE7 on Vista. I cant say whether these would apply to Firefox, say, on a typical Linux distro though.

Re:Popcorn anyone?

[Allador]

The level of ignorance about the technical underpinnings of Windows on /. is appalling.

Browsers and their plugins have access to everything. Incorrect. Browsers and their plugins have access to whatever security account they are being run as. Typically thats a non-priv'd user using the desktop. This means read access to most of the OS and write access to their profile area and some common temp areas. Pretty much like any other mainstream OS in fact.

Do something as simple as post a picture in myspace and you will see that it has access to let you browse the entire system to find your picture. Any number of sites will let you browse for files through said browser. Thats because YOU (ie, the account of the person who launched the browser) has access to read most of the file system. Note that this isnt some magical ActiveX control that is installed by the browser. A file-browser with upload capability is built into every browser.

If a simple scriptlet can do that, its not like you say. This isnt the behavior of a scriptlet, its functionality built into the browser.

Anyone who has ever used Internet explorer to install a printer through IIS will tell you it happens. I connect to the web page at my work, and IE lets me not only connect, but it also downloads and installs print drivers. Something like that has access to system areas and even registry. Again, only if you have permission to install that printer in the first place. This is no different than the 'click n print' functionality you use all the time in a domain. Type \\servername\ into explorer, then double click one of the printers there.

And this only works if the server in question is in your Trusted Sites or Intranet Sites in IE.

Non-admin users installing printer drivers is something that is controllable via AD and Group Policy. If you set it, it loosens up acls and privs in a very specific and limited part of the system that lets non-admin users install printers.

This isnt rocket science or magic.

One could exploit that to create a faux driver and do malicious activity with it. Only if several things line up together:

1. The server who hosts this printer driver is in your IE's Trusted Locations or Intranet Locations.

2. The configuration to let non-admin users install printer drivers is set on your machine.

3. There is a hole big enough within the security loosening from #2 to do anything interesting with to own the OS.

Re:Popcorn anyone?

[Allador]

Well how about instead of making silly statements like this, you go read the documentation on IE7 protected mode. It quite thoroughly answers your question.

I'll even be nice and give you some of the information.

There are special cache locations in the registry and user profile called 'Low' that are the only places readable/writeable by IE7 in protected mode.

I did mis-speak in one sense in my post .... protected mode primarily restricts the browser process from WRITING to almost everywhere. I dont believe it restricts reading any more than the regular user account that its run under has rights to.

Re:Popcorn anyone?

[novakyu]

Firstly, because SYSTEM and Administrator have different privilege levels. To me, that makes as much difference as between kernel-level access and userland access.

That is, not a whole lot, as long as all you are trying to do is own the system or otherwise do malicious things to it. If you were a virus/trojan writer, would you ever hit yourself on the forehead saying, "Damn, this Administrator access isn't good enough. I need SYSTEM access to totally own this system"?*

The truth is, at least before Vista (I wouldn't know about Vista since I never used it), Windows' security model was broken. No security model where the default user (as pointed out by my sibling poster) runs as superuser ever is.

* On the other hand, if you are trying to install a rootkit, then you might need kernel-level access. But once you have superuser access, such things are fairly easy to do---modifying the kernel in memory may not be completely safe, but it's been done before.

Re:Popcorn anyone?

[xenocide2]

As an option, but not by default. As I understand it, someone asked why SELinux wasn't in Ubuntu, and when told "nobody wants to do the work", they went and did it.

Re:Popcorn anyone?

[jcast]

But I don't know *why* I can't do this with GUI applications. And there may be a good reason, so I don't want to push.

Permitting a program to connect to the X server is a pretty big statement of trust, since it has to have at least the same level of permissions the window manager does. So it's fairly carefully controlled. There are ways of making su work, which hail from back when you used telnet to do remote login and your GUI apps connected directly back to a public TCP/IP port on your terminal to get at the X server, but they're obsolete. These days, the fastest way to do what you want is to substitute ssh for su.

Software sucks.

A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

Re:Software sucks.

What's so dumb about pointing out the pathetic state of software security and the incompetence of programmers?

Okay, let's have an explanation... why *is* it possible to do any damage at all with Flash?

I guess comments like yours explain exactly why our software sucks.

Re:Software sucks.

[daeg]

Flash does more than just paint - it (unfortunately) can upload files, attach to USB devices (webcams), etc.

Re:Software sucks.

[robo_mojo]

While flash only "paints to the screen", it shares memory with the browser, and it can make system calls like any other application, so even a small bug can be dangerous.

Bugs like buffer overflows, the uber-exploits anyone can use to run code on your machine.

Software will suck as long as speed is more important than correctness.

Hey!

[spectrokid]

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!

Re:Hey!

[calebt3]

I don't see why the test includes third party software. Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Re:Hey!

[morethanapapercert]

Errr. know of any site using Flash for something useful?*

*Useful to me; not to advertisers or corporate web designers who think interrupting the flow of my surfing and irritating the hell out of me are good ways to earn my shopping dollars

Newsworthy?

[MisterFuRR]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

Re:Newsworthy?

[call-me-kenneth]

Hint: script kiddies don't tend to have 0day in the real world.

Re:Newsworthy?

[tolan-b]

They created their own exploits.

Re:Newsworthy?

[kripkenstein]

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars. Hmm, I disagree.

First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).

Re:Newsworthy?

In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux. Yeah, they're open source and of dubious quality.

Re:Newsworthy?

[gbickford]

This small focus group of participators are not script kiddies. They publicly represent the people that do not want a public representation and do not want their unknown exploits exposed to the public eye for the mere price of a laptop or even a $10,000USD cash prize. The lurkers want bot nets and relay servers. The unseen want to be able to bend the entire internet. This information is only worth money if people do not know it.

The people that participate in this are like magicians selling their secrets at a bus stop.

This isn't like a McAfee vs Norton contest. The "the total end point security" which you reference is no where near contextual. This is a how much are black hats willing to give up for chump-change contest.

Re:Newsworthy?

[Henry+V+.009]

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

Re:Newsworthy?

[Daimanta]

Haven't you heard, there is a new tool for scriptkiddies. It is called sub8 and it's got a "get 0days" mode. I'm running it all day. I am now targeting 127.0.0.1 and I think it is going to be done any min[CARRIER LOST]

Re:Newsworthy?

[try_anything]

To be honest I think this says less about the security of various platforms (after all we have to be slightly impressed Windows lasted so long), but more about the security of open source versus closed source. The operating systems themselves didn't seem to be at fault as much as extra apps (although Safari may be an exception here).

Users follow the normal path of least resistance established by the platform. Users' first tendency is to use the apps that are installed by default, which means mostly open-source apps on Linux and closed-source apps on Windows. When an appropriate application isn't installed, consumer-targeted Linux distributions help steer users toward good open-source applications. Under Windows, you usually end up installing a closed-source application suggested by a web site. Windows application security depends not just on closed-source software but on users' ability to evaluate the credibility of web sites and spot spoofed web sites (like the ones used for phishing, but used for distributing malware instead). Under Linux, those skills are still important, but since the normal method of installing software is to download packages maintained by the distribution, users will be more likely to pay special attention when installing software from other sources.

In sum, what this means is that Windows systems depend heavily on closed-source software and the judgment of individual users, both of which are less secure than the community-oriented "more eyes" approach taken by open-source Linux distributions.

What did you expect?

[lilomar]

So Linux is more secure than Windows? What else is new?

Re:What did you expect?

[Allador]

A couple things to note of interest:

1. The contest did not require someone to 'own' the box to win. They just had to read the contents of some specific file somewhere in the OS. Unfortunately, they didnt publish where that file was, or what the file-system ACLs on it were.

2. The guy who took down the Vista box claimed in the article that it would only take them a few more hours of work to make the Flash vuln effective on OSX and Linux as well.

It is becoming more clear every day

[zappepcs]

that GNU/Linux is actually more than a competitor to MS in the niche hacker/power user arena. It is in fact quite usable and *CAN* replace Windows. (Car analogy) It's like seeing Kia in a road rally, sort of surprizing but after a couple of years competing people begin to just accept that they have the balls to keep it up and to compete.

Or perhaps it's more like a dedicated sports fan seeing his team make the playoffs after 40 years of ridicule ?

Re:It is becoming more clear every day

[ketilwaa]

Are you comparing GNU/Linux to Kia? Kia?!? KIA?!? If I see you on the road I'll be slamming into you with my Ubuntu Yugo, so watch out!

I think it is most fitting...

[Provocateur]

...that we christen the unharmed laptop 'Cowboy Neal'

Re:Let me get this straight

[calebt3]

It comes with $20,000, $10,000, or $5,000, depending on what day you hacked it. The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 since it was cracked later. And you can always install *nix.

Re:Let me get this straight

For some time now OS of personal computers does not reside in ROM and can be changed to a different one with ease. The miracles of technology!

Re:Let me get this straight

[ceejayoz]

The laptop isn't insecure, the attacks are taking place against the operating system (and in all three cases, against specific applications - none of the three were hackable without the user taking certain actions).

Re:Let me get this straight

[spectrokid]

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure? Euuuuh.... to install Linux on it?

Something is Fishy

[ThinkFr33ly]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

I suppose one could argue that various defensive techniques like ASLR should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

Re:Something is Fishy

[ThinkFr33ly]

That is not correct. Protected Mode's low rights user has virtually no access to the system.

Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.

Re:Something is Fishy

[Rary]

This says absolutely nothing about Vista security.

Actually, the fact that Vista held its own against every attack the contestants attempted against it for days, and only finally fell when the contest organizers modified the rules to allow exploitable third-party applications in, says a lot about Vista security. It's just that what it says about Vista security is opposite to what most Slashdottians would like it to say.

Re:Something is Fishy

[benjymouse]

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

Re:Something is Fishy

[ThinkFr33ly]

No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.

Re:Something is Fishy

[Erikderzweite]

>If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

You are wrong, I fear. The rules were that each OS had its default configuration. Check http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 for details. So, if the protected mode is turned on by default - it was turned on during the contest.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too.

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

Re:Something is Fishy

[spisska]

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode / UAC on), this should not have happened.

This logic reminds me of the sysadmin where I work. She (not a typo) apparently doesn't know how to properly configure an Exchange server, so she's limited everybody's email boxes to 250 MB. Since I regularly have to deal with attachments -- large spreadsheets, presentations, csv lists, etc, and often have to go back months to find a specific mail to answer client questions, 250 MB is not sufficient.

I pointed all this out to her, as well as the fact that I haven't seen limits like this anywhere since the early 2000s. I also suggested, not seriously, that I should store all my mail on the unused part of my ipod, or autoforward it all to my gmail account.

Rather than seeing the absurdity, she responded that it was "not possible" to forward mail to gmail (or yahoo, hotmail, hushmail, etc) because she had set up rules preventing this. It took all of five minutes to set up a new gmail account and begin forwarding, complete with properly configured reply-to headers.

I sent her screenshots. She still says it's not possible because that's not how it's supposed to work.

The moral is that with most MS software, what it is supposed to do or not do has little bearing on what it will do when you know how to ask. Just because something should not happen -- e.g. your assumption that IE7 would not allow an exploit in its standard, protected mode, does not mean that it can't happen or won't happen.

It seems to me that the entire UAC model is little more than a bolt-on that does nothing to address the structural insecurity of Windows. It's like a house with an iron gate and stone wall along the street. But the wall only extends 15m in either direction. Walk around the wall and there's nothing. With *nix, you get a wall around the whole yard by default. Along with the option to put it a moat filled with sharks. With lasers strapped to their heads. Now that's the kind of 'fishy' poppa likes.

Re:Something is Fishy

[benjymouse]

And for all who says: "Flash issues are cross platform so Linux isn't secure either" there is one simple question - why was linux laptop still standing then at the end of the day?

The rules specifically says that 1) if the exploit was cross platform the same exploit could not be used for another platform and 2) the same person cannot win 2 prices.

Re:Something is Fishy

[ThinkFr33ly]

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

See the following: background info, and most of this post deals with UAC.

Re:Something is Fishy

[benjymouse]

Read the exchanges on the iebloc here: http://blogs.msdn.com/ie/archive/2006/11/17/flash-player-9-update.aspx. It also contains links to documentation.

Re:Something is Fishy

[david_thornley]

Really? What I hear is Vista security sucks in the real world. Seems to me that that's what most /.ers would like it to say. After all, OSes don't exist so we can admire their austere beauty, they exist so we can get things done with application programs.

Re:Something is Fishy

[benjymouse]

I just wanted to add this: On my Vista x64 I have a service called "FlashUtil9e.exe - Adobe Flash Player Helper 9.0 r115". That's the broker process.

It is running as *me*, with my rights. Not for long now, though. Bye Flash.

Oh, and there's also an "Acrotray.exe" - from the same company. Guess what that does?

Re:Something is Fishy

[recoiledsnake]

I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?

UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.

UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com

Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.

From the linked article:

Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.

My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.

Re:Something is Fishy

[Kalriath]

Except that... get this... FLASH HAS A BROKER PROCESS. Protected mode cannot stop Flash doing stupid stuff because Adobe in their infinite wisdom decided they really needed that unfettered system access and created a Flash Broker. And to top it off, the Flash installer adds the Flash Broker as a "Don't prompt me again for allowing this application outside protected mode to be called" program.

I don't even know why Microsoft bothers trying to secure stuff when morons like Adobe just go and fuck it up.

Re:Something is Fishy

[spisska]

Are you suggesting that software bugs are in some way a phenomenon unique to Microsoft ?

Not at all. What I'm suggesting is that when someone says that X is not possible because it isn't supposed to happen, it doesn't mean that it can't happen or won't happen. The Titanic was supposed to be unsinkable. AACS was supposed to be unbreakable. The four-minute mile was supposed to be unachievable.

I'm not foolish enough to claim that *nix cannot be rooted or cracked. Just that because of its design it is inherently more secure and more difficult to crack than a system that still allows apps to run in rootspace.

What "baggage" ?

The baggage of supporting legacy apps that require(d) administrator access. Because Windows had been designed for so long to be run by a single user-administrator, there are plenty of apps that simply won't run without admin-level privileges.

No, it addresses the same problem that exists on all multiuser OSes, which is why all multiuser OSes address it (with varying degrees of user friendliness). Windows "compartmentalises users" at least as well as other platforms (and possibly better, depending on exactly what those OSes are, due to extensive use of ACLs and the lack of a superuser).

Not exactly. When an OS is designed from the ground up as a multiuser system (such as *nix), it is very easy to restrict access to system resources. If I want to install a piece of software on Linux, for example, I cannot make the installation system-wide (by writing to /usr/bin, for example) without admin privileges. I cannot install libraries to /lib, /usr/lib, etc. I cannot write settings to /etc. Even when installed and executed, that program will only have a restricted set of rights based on the user/group that executes it. I can, however, compile and run executables as a user without needing admin access and without write access to system files and/or directories. I can put whatever libraries, modules, settings etc are required in my home directory without needing access to restricted areas.

Yes, I do run the risk of hosing my /home/user directory and everything inside of it, but I cannot touch any other user's files, and cannot touch system files.

Windows, on the other hand, has a hybrid model where a multi user model is tacked onto a single user-admin model, or rather support for a single user-admin model is bolted onto a basic multiuser model. Basic, because a true multi-user system would never have a single repository for all settings, like the Windows registry.

Your logic is worthless.

Please explain.

You are saying that because an (apparently ignorant) Exchange Administrator misconfigured her server, there might be bugs in Windows.

No. What I'm saying is that the my sysadmin's argument is very similar to the OP's argument. The OP said that because IE7 isn't supposed to allow a system level exploit via something like Flash, then therefore it isn't possible. My sysadmin said that because she configured Exchange to block autoforwarding to public webmail then it isn't possible. It is clearly possible to to autoforward my mail to gmail, and I did it and showed her to prove a point. She seems to think I manually forwarded the messages and somehow spoofed the reply-to field, and that autoforwarding is impossible because it shouldn't happen.

It's the same point I'm making now, and am running out of ways to say: Just because something shouldn't happen doesn't mean it won't or can't.

More on topic, if an app has elevated rights, then exploiting a vulnerability in that app will give the exploit/exploiter elevated rights. There are very few apps on *nix (none that I can think of) that run or need to run with elevated rights. There are a lot of apps on Windows that expect to have admin rights, regardless of whether or not such access is needed. This is why the problem is structural, and why I used the example of the incomplete wall.

Re:Something is Fishy

[Allador]

Maybe, maybe not.

The guy that took down Vista claims that the same exploit can be used on Linux and OSX, just requires a few more hours work.

Not proven yet, but possible.

Both vulns are Mac-centric

[EraserMouseMan]

It's interesting that the 2 vulnerable attack vectors are from the 2 companies that have the largest Mac user-base. Apple (Safari) and Adobe (Flash).

1 day later.

[Lulfas]

Isn't it amazing that they couldn't exploit a Vista box with stock software, but they could do the Mac? It required them to install 3rd party software (Although extremely common 3rd party software, to be fair). Security through obscurity is dead.

Re:1 day later.

[maskedbishounen]

Or rather, security through obscurity takes longer. Which is kind of the whole point.

Re:1 day later.

[c_forq]

On the other hand Webkit http://www.webkit.org/ is open source, and the Mac was exploited through Safari. So this same case could be used as an argument that open source is more easily/quickly exploited.

I don't know about a religious platform war ....

[LaughingCoder]

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Re:Know this: no one uses linux on desktop, no sof

[Zedekiah]

No-one? I hope you realise that you've just caused me an existential crisis!

Re:Know this: no one uses linux on desktop, no sof

[ricegf]

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.

Know this: people use linux on desktop

[tomhudson]

Know this: no one uses linux on desktop

Really? So this must be some magical post I'm making ...

Second-rate software may appeal if it comes at no cost, but life is too short to waste and second-rate (at best) software wastes too much of it

I agree, which is why I don't "do" Windows.

I use linux at home, and linux + bsd at work.

My sister switched to an iMac, and "once you go mac, you never go back."

People routinely remote into another linux box at work when they want to get "real" work done in a more powerful graphical environment like kde, or need to do stuff that Windows just can't do without a lot of work ...

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux.

Re:Know this: people use linux on desktop

[Almahtar]

Even web developers no longer need to keep a Windows box handy "for compatability testing" - IE 7 runs fine under linux. As a matter of fact, you can run IE 5.5, 6, and 7 simultaneously in Linux, making it easier for IE compatibility testing than Windows. Oh, the irony.

Re:Hierarchy of Desirable Laptops?

[Wavebreak]

No, trying to hack only the most desirable one would be dumb, seeing as how either of the other two are worth quite a bit on their own, and there's a rather substantial cash price in it for you as well. This gets repeated constantly, and people *still* bring the same goddamn stupid point up. No wonder you're posting as AC tbh.

Re:Know this: no one uses linux on desktop, no sof

[calebt3]

No-one uses Linux, and No-one is perfect. So we should try to follow in No-one's footsteps.

Re:Know this: no one uses linux on desktop, no sof

[Oktober+Sunset]

Well, anyway, sorry to have fed the troll. As long as you don't feed the squirrels.

Re:I don't know about a religious platform war ...

[Fweeky]

It brings any machine to its knees as it consumes every available resource while rendering a simple document Not seen that. I did try FoxIt Reader when I found a rather complex pdf of a world map of submarine optical fibre connections was rendered painfully slowly, but FoxIt was even slower. I upgraded to Adobe Reader 8, and now it's actually fairly smooth; something that'd take FoxIt or Adobe Reader 7 a good 3-10 seconds to render will take under a second and once drawn, scroll smoothly.

At the same time, I've not seen it go beyond about 150MB of memory, and more commonly manages a third of that. Startup time was rubbish a couple of years ago when it'd sit there loading about 20 different plugins for no particular reason, but that's not been a problem for a while now.

Re:Let me get this straight

[Divebus]

The guy who cracked the Mac got $10,000 and the Vista machine came with $5,000 Cue the trolls: "See? Macs ARE more expensive!"

Re:Different hardware, different incentive?

if you had rtfa, you would know that there are also a couple thousand dollars in the game.

Not useless

[xant]

It's not useless. It just shows that things are improving at the OS level. I'm not surprised by this.. XP SP2 was a pretty substantial step in this direction, and OS X has made substantial strides as well (not that anybody's noticing). Seems like Vista did in fact improve in this area as well. So yes, if you're talking about the kernel and the stock OS, it's getting harder to compare security, because they are all much more secure than they ever were before.

So the game has changed. The contest rules here have also changed, to reflect the new game. They built in the day-3 rule changes so that more exploits would be possible, to keep the contest interesting, knowing in advance that hacking the stock OS would be pretty hard.

It's not just the stock OS security that matters, it's the security of the entire stack, and the software ecosystem it lives in. Give Microsoft and Apple credit for improving their cores, but you can still say Ubuntu has a better stack and ecosystem, and point to the same reasons why: open source, community testing, heterogeneity.

Re:Know this: no one uses linux on desktop, no sof

[surfi]

and it's not only people using linux at home, we use it in our company too. some people were not very enthusiastic with the move, but everything works better now and maintenance costs are A LOT lower. no wonder that governments and large enterprises around the world are switching to linux

Sandbagging?

[joetheappleguy]

Same 2 guys win by cracking the same platforms they won on last year.

I'd wager they each have a handy arsenal of "zero day" exploits ready for next year's competition already.

Re:Different hardware, different incentive?

[LingNoi]

If you RTFA you'd realize that the Sony machine running Ubuntu was the most expensive and wasn't cracked.

10 Things to Remember About CanSecWest

[DECS]

"The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple "Mac Shot First" headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner.

"The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice."

10 Things to Remember About CanSecWest and Software Vulnerabilities

The ONLY reason ubuntu won

[goombah99]

I note that Windows and Mac can run firefox too. The ONLY reason that ubuntu won is because it can't run Safari, or IE.

My kid's pretend Leap-frog computer also can't run a browser or even connect to the internet. Clearly it is much safer than ubuntu.

Re:The ONLY reason ubuntu won

[fonik]

That leapfrog trades a lot of features to gain that security. Since Firefox doesn't sacrifice features... well, yeah, it really IS better.