«

Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
contestContestant overcomes bout of 'hacktile dysfunction'
By Dan Goodin in Vancouver → More by this author
Published Saturday 29th March 2008 21:27 GMT

--------------------------------------------------------------------------------

CanSecWest A laptop running a fully patched version of Microsoft's Vista
operating system was the second and final machine to fall in a hacking
contest that pitted the security of Windows, OS X and Ubuntu Linux. With
both a Windows and Mac machine felled, only the Linux box remained
standing following the three-day competition.

Shane Macaulay, who played a hand bringing down a Mac during last year's
Pwn2Own contest, defeated the Vista machine using a previously unknown
vulnerability in Adobe Flash. On final day of the CanSecWest conference
in Vancouver, Macaulay spent the better part of four hours trying to get
the exploit to work. (The delay prompted one spectator to playfully dub
the difficulty "hacktile dysfunction.")

A MacBook Pro running a fully patched version of Leopard was the first
to drop out during day two of the race, when researchers from
Independent Security Evaluators demonstrated a previously unknown
vulnerability in Apple's Safari browser. With brand new boxes running
both Ubuntu and Vista remaining, Macaulay spent day three switching back
and forth between the two machines, trying to get his Flash exploit to
execute properly. He was assisted by Alex Sotirov, a security researcher
at VMware.

Initially thwarting Macaulay's efforts was the recently released Service
Pack 1 for Vista, which he had neglected to install when testing the
Flash exploit in the days leading up to the contest. Per the contest
rules, each target machine had to be fully patched, and when the
researcher first ran the code during the competition, new page
protections added by Microsoft's security team prevented the exploit
from properly executing.

"They had done some stuff in Vista to prohibit this form of attack from
being successful on third party software," Macaulay said minutes after
he finally commandeered the Fujitsu U810 laptop. "We had to do some
porting to get around that issue."

Macaulay and Sotirov fashioned some javascript to circumvent the new
measure, a feat that effectively allows them "to render that protection
ineffective," Macaulay said.

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he
would probably sell the machine, which he and Sotirov autographed with a
black Sharpie pen, on eBay.

Under contest rules, qualifying exploits on day one had to target
default installations of the operating system itself and winners were
allowed to walk away with the hacked box and a $20,000 bounty. Contest
organizers gradually expanded the eligible attack surface on days two
and three by allowing an vulnerabilities in an increasing number of
third party applications. The bounty dropped to $10,000 on day 2 and
$5,000 on day three. No one bothered competing on day one.

Plenty of commentators have made hay of the MacBook Pro being the first
to exit the race, and Linux zealots are sure to conclude the contest
results prove the superiority of that platform. Maybe. But that's not
how it looks to Macaulay, who says with a few hours of tweaking, his
exploit will also work on OS X and Linux.

The better take-away is that exploits like these are a fact of life for
everyone no matter what kind of machine they choose (are you listening,
Mac Guy?). Another lesson: just as quickly as Microsoft or any other
developer adds new measures like page protection to their code base,
hackers, ethical and otherwise, are find ways to work around them.

"Nobody can do anything about it, because you're always going to be
installing something" that will bypass security, Macaulay, who wore torn
blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
Java, it'll be something else." ®

Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX was
gone in ~ 2 minutes...

Yes, Linux is very secure, but that report isn't all that bad for Windows.

--

Dustin Harper

http://www.vistarip.com | Vista Resource & Information Page


"nospam" <> wrote in message
news:47eed7c8$0$30700$...
> Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
> contestContestant overcomes bout of 'hacktile dysfunction'
> By Dan Goodin in Vancouver → More by this author
> Published Saturday 29th March 2008 21:27 GMT
>
> --------------------------------------------------------------------------------
>
> CanSecWest A laptop running a fully patched version of Microsoft's Vista
> operating system was the second and final machine to fall in a hacking
> contest that pitted the security of Windows, OS X and Ubuntu Linux. With
> both a Windows and Mac machine felled, only the Linux box remained
> standing following the three-day competition.
>
> Shane Macaulay, who played a hand bringing down a Mac during last year's
> Pwn2Own contest, defeated the Vista machine using a previously unknown
> vulnerability in Adobe Flash. On final day of the CanSecWest conference in
> Vancouver, Macaulay spent the better part of four hours trying to get the
> exploit to work. (The delay prompted one spectator to playfully dub the
> difficulty "hacktile dysfunction.")
>
> A MacBook Pro running a fully patched version of Leopard was the first to
> drop out during day two of the race, when researchers from Independent
> Security Evaluators demonstrated a previously unknown vulnerability in
> Apple's Safari browser. With brand new boxes running both Ubuntu and Vista
> remaining, Macaulay spent day three switching back and forth between the
> two machines, trying to get his Flash exploit to execute properly. He was
> assisted by Alex Sotirov, a security researcher at VMware.
>
> Initially thwarting Macaulay's efforts was the recently released Service
> Pack 1 for Vista, which he had neglected to install when testing the Flash
> exploit in the days leading up to the contest. Per the contest rules, each
> target machine had to be fully patched, and when the researcher first ran
> the code during the competition, new page protections added by Microsoft's
> security team prevented the exploit from properly executing.
>
> "They had done some stuff in Vista to prohibit this form of attack from
> being successful on third party software," Macaulay said minutes after he
> finally commandeered the Fujitsu U810 laptop. "We had to do some porting
> to get around that issue."
>
> Macaulay and Sotirov fashioned some javascript to circumvent the new
> measure, a feat that effectively allows them "to render that protection
> ineffective," Macaulay said.
>
> It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
> Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would
> probably sell the machine, which he and Sotirov autographed with a black
> Sharpie pen, on eBay.
>
> Under contest rules, qualifying exploits on day one had to target default
> installations of the operating system itself and winners were allowed to
> walk away with the hacked box and a $20,000 bounty. Contest organizers
> gradually expanded the eligible attack surface on days two and three by
> allowing an vulnerabilities in an increasing number of third party
> applications. The bounty dropped to $10,000 on day 2 and $5,000 on day
> three. No one bothered competing on day one.
>
> Plenty of commentators have made hay of the MacBook Pro being the first to
> exit the race, and Linux zealots are sure to conclude the contest results
> prove the superiority of that platform. Maybe. But that's not how it looks
> to Macaulay, who says with a few hours of tweaking, his exploit will also
> work on OS X and Linux.
>
> The better take-away is that exploits like these are a fact of life for
> everyone no matter what kind of machine they choose (are you listening,
> Mac Guy?). Another lesson: just as quickly as Microsoft or any other
> developer adds new measures like page protection to their code base,
> hackers, ethical and otherwise, are find ways to work around them.
>
> "Nobody can do anything about it, because you're always going to be
> installing something" that will bypass security, Macaulay, who wore torn
> blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
> Java, it'll be something else." ®

In message <47eed7c8$0$30700$> nospam
<> wrote:

>Plenty of commentators have made hay of the MacBook Pro being the first
>to exit the race, and Linux zealots are sure to conclude the contest
>results prove the superiority of that platform. Maybe. But that's not
>how it looks to Macaulay, who says with a few hours of tweaking, his
>exploit will also work on OS X and Linux.

This is really the crux of it, all three OSes survived at the core
level, OSX fell due to built-in software, without the user authorizing
specific software installation.

News that third party software might have vulnerabilities that can
compromise the user account running the software isn't really news at
all -- If day #3 is included, day #4 should be "hack the machine with
the administrator/root password and physical access"

I understand that if you unplug a linux machine it will continue to work,
where both the Mac and Windows machine require power...

"Dustin Harper" <> wrote in message
newsA91C1BA-651B-4C40-BCDD-...
> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX
> was gone in ~ 2 minutes...
>
> Yes, Linux is very secure, but that report isn't all that bad for Windows.
>
> --
>
> Dustin Harper
>
> http://www.vistarip.com | Vista Resource & Information Page
>
>
> "nospam" <> wrote in message
> news:47eed7c8$0$30700$...
>> Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
>> contestContestant overcomes bout of 'hacktile dysfunction'
>> By Dan Goodin in Vancouver → More by this author
>> Published Saturday 29th March 2008 21:27 GMT
>>
>> --------------------------------------------------------------------------------
>>
>> CanSecWest A laptop running a fully patched version of Microsoft's Vista
>> operating system was the second and final machine to fall in a hacking
>> contest that pitted the security of Windows, OS X and Ubuntu Linux. With
>> both a Windows and Mac machine felled, only the Linux box remained
>> standing following the three-day competition.
>>
>> Shane Macaulay, who played a hand bringing down a Mac during last year's
>> Pwn2Own contest, defeated the Vista machine using a previously unknown
>> vulnerability in Adobe Flash. On final day of the CanSecWest conference
>> in Vancouver, Macaulay spent the better part of four hours trying to get
>> the exploit to work. (The delay prompted one spectator to playfully dub
>> the difficulty "hacktile dysfunction.")
>>
>> A MacBook Pro running a fully patched version of Leopard was the first to
>> drop out during day two of the race, when researchers from Independent
>> Security Evaluators demonstrated a previously unknown vulnerability in
>> Apple's Safari browser. With brand new boxes running both Ubuntu and
>> Vista remaining, Macaulay spent day three switching back and forth
>> between the two machines, trying to get his Flash exploit to execute
>> properly. He was assisted by Alex Sotirov, a security researcher at
>> VMware.
>>
>> Initially thwarting Macaulay's efforts was the recently released Service
>> Pack 1 for Vista, which he had neglected to install when testing the
>> Flash exploit in the days leading up to the contest. Per the contest
>> rules, each target machine had to be fully patched, and when the
>> researcher first ran the code during the competition, new page
>> protections added by Microsoft's security team prevented the exploit from
>> properly executing.
>>
>> "They had done some stuff in Vista to prohibit this form of attack from
>> being successful on third party software," Macaulay said minutes after he
>> finally commandeered the Fujitsu U810 laptop. "We had to do some porting
>> to get around that issue."
>>
>> Macaulay and Sotirov fashioned some javascript to circumvent the new
>> measure, a feat that effectively allows them "to render that protection
>> ineffective," Macaulay said.
>>
>> It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
>> Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would
>> probably sell the machine, which he and Sotirov autographed with a black
>> Sharpie pen, on eBay.
>>
>> Under contest rules, qualifying exploits on day one had to target default
>> installations of the operating system itself and winners were allowed to
>> walk away with the hacked box and a $20,000 bounty. Contest organizers
>> gradually expanded the eligible attack surface on days two and three by
>> allowing an vulnerabilities in an increasing number of third party
>> applications. The bounty dropped to $10,000 on day 2 and $5,000 on day
>> three. No one bothered competing on day one.
>>
>> Plenty of commentators have made hay of the MacBook Pro being the first
>> to exit the race, and Linux zealots are sure to conclude the contest
>> results prove the superiority of that platform. Maybe. But that's not how
>> it looks to Macaulay, who says with a few hours of tweaking, his exploit
>> will also work on OS X and Linux.
>>
>> The better take-away is that exploits like these are a fact of life for
>> everyone no matter what kind of machine they choose (are you listening,
>> Mac Guy?). Another lesson: just as quickly as Microsoft or any other
>> developer adds new measures like page protection to their code base,
>> hackers, ethical and otherwise, are find ways to work around them.
>>
>> "Nobody can do anything about it, because you're always going to be
>> installing something" that will bypass security, Macaulay, who wore torn
>> blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
>> Java, it'll be something else." ®
>

It's better then that. When the power goes off, my linux machine powers my
entire house

"Howard Swope" <howard_swopeAThms3DOTcom> wrote in message
news:u7C%...
>I understand that if you unplug a linux machine it will continue to work,
>where both the Mac and Windows machine require power...
>

"Dustin Harper" <> wrote in message newsA91C1BA-651B-4C40-BCDD-...

> Yes, Linux is very secure, but that report isn't all that bad for Windows.

>> ... But that's not how it looks to Macaulay, who says with a few hours
>> of tweaking, his exploit will also work on ... Linux.

On Mar 29, 6:45 pm, "Dustin Harper" <dhar...@vistarip.com> wrote:
> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX was
> gone in ~ 2 minutes...
>
> Yes, Linux is very secure, but that report isn't all that bad for Windows.
>
> --
>
> Dustin Harper
> dhar...@vistarip.comhttp://www.vistarip.com| Vista Resource & Information Page
>
> "nospam" <nos...@nospam.net> wrote in message
>
> news:47eed7c8$0$30700$...
>
> > Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
> > contestContestant overcomes bout of 'hacktile dysfunction'
> > By Dan Goodin in Vancouver $B"*(B More by this author
> > Published Saturday 29th March 2008 21:27 GMT
>
> > --------------------------------------------------------------------------------
>
> > CanSecWest A laptop running a fully patched version of Microsoft's Vista
> > operating system was the second and final machine to fall in a hacking
> > contest that pitted the security of Windows, OS X and Ubuntu Linux. With
> > both a Windows and Mac machine felled, only the Linux box remained
> > standing following the three-day competition.
>
> > Shane Macaulay, who played a hand bringing down a Mac during last year's
> > Pwn2Own contest, defeated the Vista machine using a previously unknown
> > vulnerability in Adobe Flash. On final day of the CanSecWest conference in
> > Vancouver, Macaulay spent the better part of four hours trying to get the
> > exploit to work. (The delay prompted one spectator to playfully dub the
> > difficulty "hacktile dysfunction.")
>
> > A MacBook Pro running a fully patched version of Leopard was the first to
> > drop out during day two of the race, when researchers from Independent
> > Security Evaluators demonstrated a previously unknown vulnerability in
> > Apple's Safari browser. With brand new boxes running both Ubuntu and Vista
> > remaining, Macaulay spent day three switching back and forth between the
> > two machines, trying to get his Flash exploit to execute properly. He was
> > assisted by Alex Sotirov, a security researcher at VMware.
>
> > Initially thwarting Macaulay's efforts was the recently released Service
> > Pack 1 for Vista, which he had neglected to install when testing the Flash
> > exploit in the days leading up to the contest. Per the contest rules, each
> > target machine had to be fully patched, and when the researcher first ran
> > the code during the competition, new page protections added by Microsoft's
> > security team prevented the exploit from properly executing.
>
> > "They had done some stuff in Vista to prohibit this form of attack from
> > being successful on third party software," Macaulay said minutes after he
> > finally commandeered the Fujitsu U810 laptop. "We had to do some porting
> > to get around that issue."
>
> > Macaulay and Sotirov fashioned some javascript to circumvent the new
> > measure, a feat that effectively allows them "to render that protection
> > ineffective," Macaulay said.
>
> > It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
> > Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would
> > probably sell the machine, which he and Sotirov autographed with a black
> > Sharpie pen, on eBay.
>
> > Under contest rules, qualifying exploits on day one had to target default
> > installations of the operating system itself and winners were allowed to
> > walk away with the hacked box and a $20,000 bounty. Contest organizers
> > gradually expanded the eligible attack surface on days two and three by
> > allowing an vulnerabilities in an increasing number of third party
> > applications. The bounty dropped to $10,000 on day 2 and $5,000 on day
> > three. No one bothered competing on day one.
>
> > Plenty of commentators have made hay of the MacBook Pro being the first to
> > exit the race, and Linux zealots are sure to conclude the contest results
> > prove the superiority of that platform. Maybe. But that's not how it looks
> > to Macaulay, who says with a few hours of tweaking, his exploit will also
> > work on OS X and Linux.
>
> > The better take-away is that exploits like these are a fact of life for
> > everyone no matter what kind of machine they choose (are you listening,
> > Mac Guy?). Another lesson: just as quickly as Microsoft or any other
> > developer adds new measures like page protection to their code base,
> > hackers, ethical and otherwise, are find ways to work around them.
>
> > "Nobody can do anything about it, because you're always going to be
> > installing something" that will bypass security, Macaulay, who wore torn
> > blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
> > Java, it'll be something else." (R)

I really wish there was a way to stop websites from using flash. I
can't think of a more useless program, not to mention it is
proprietary. I use firefox to block flash since many websites are
using flash for adverts.

Just use IE64. Except for the nag message at the top of the screen, it works
fine.


<> wrote in message
news:1c29448f-1a2b-4179-b75a-...
> On Mar 29, 6:45 pm, "Dustin Harper" <dhar...@vistarip.com> wrote:
>> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX
>> was
>> gone in ~ 2 minutes...
>>
>> Yes, Linux is very secure, but that report isn't all that bad for
>> Windows.
>>
>> --
>>
>> Dustin Harper
>> dhar...@vistarip.comhttp://www.vistarip.com| Vista Resource & Information
>> Page
>>
>> "nospam" <nos...@nospam.net> wrote in message
>>
>> news:47eed7c8$0$30700$...
>>
>> > Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
>> > contestContestant overcomes bout of 'hacktile dysfunction'
>> > By Dan Goodin in Vancouver $B"*(B More by this author
>> > Published Saturday 29th March 2008 21:27 GMT
>>
>> > --------------------------------------------------------------------------------
>>
>> > CanSecWest A laptop running a fully patched version of Microsoft's
>> > Vista
>> > operating system was the second and final machine to fall in a hacking
>> > contest that pitted the security of Windows, OS X and Ubuntu Linux.
>> > With
>> > both a Windows and Mac machine felled, only the Linux box remained
>> > standing following the three-day competition.
>>
>> > Shane Macaulay, who played a hand bringing down a Mac during last
>> > year's
>> > Pwn2Own contest, defeated the Vista machine using a previously unknown
>> > vulnerability in Adobe Flash. On final day of the CanSecWest conference
>> > in
>> > Vancouver, Macaulay spent the better part of four hours trying to get
>> > the
>> > exploit to work. (The delay prompted one spectator to playfully dub the
>> > difficulty "hacktile dysfunction.")
>>
>> > A MacBook Pro running a fully patched version of Leopard was the first
>> > to
>> > drop out during day two of the race, when researchers from Independent
>> > Security Evaluators demonstrated a previously unknown vulnerability in
>> > Apple's Safari browser. With brand new boxes running both Ubuntu and
>> > Vista
>> > remaining, Macaulay spent day three switching back and forth between
>> > the
>> > two machines, trying to get his Flash exploit to execute properly. He
>> > was
>> > assisted by Alex Sotirov, a security researcher at VMware.
>>
>> > Initially thwarting Macaulay's efforts was the recently released
>> > Service
>> > Pack 1 for Vista, which he had neglected to install when testing the
>> > Flash
>> > exploit in the days leading up to the contest. Per the contest rules,
>> > each
>> > target machine had to be fully patched, and when the researcher first
>> > ran
>> > the code during the competition, new page protections added by
>> > Microsoft's
>> > security team prevented the exploit from properly executing.
>>
>> > "They had done some stuff in Vista to prohibit this form of attack from
>> > being successful on third party software," Macaulay said minutes after
>> > he
>> > finally commandeered the Fujitsu U810 laptop. "We had to do some
>> > porting
>> > to get around that issue."
>>
>> > Macaulay and Sotirov fashioned some javascript to circumvent the new
>> > measure, a feat that effectively allows them "to render that protection
>> > ineffective," Macaulay said.
>>
>> > It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
>> > Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he
>> > would
>> > probably sell the machine, which he and Sotirov autographed with a
>> > black
>> > Sharpie pen, on eBay.
>>
>> > Under contest rules, qualifying exploits on day one had to target
>> > default
>> > installations of the operating system itself and winners were allowed
>> > to
>> > walk away with the hacked box and a $20,000 bounty. Contest organizers
>> > gradually expanded the eligible attack surface on days two and three by
>> > allowing an vulnerabilities in an increasing number of third party
>> > applications. The bounty dropped to $10,000 on day 2 and $5,000 on day
>> > three. No one bothered competing on day one.
>>
>> > Plenty of commentators have made hay of the MacBook Pro being the first
>> > to
>> > exit the race, and Linux zealots are sure to conclude the contest
>> > results
>> > prove the superiority of that platform. Maybe. But that's not how it
>> > looks
>> > to Macaulay, who says with a few hours of tweaking, his exploit will
>> > also
>> > work on OS X and Linux.
>>
>> > The better take-away is that exploits like these are a fact of life for
>> > everyone no matter what kind of machine they choose (are you listening,
>> > Mac Guy?). Another lesson: just as quickly as Microsoft or any other
>> > developer adds new measures like page protection to their code base,
>> > hackers, ethical and otherwise, are find ways to work around them.
>>
>> > "Nobody can do anything about it, because you're always going to be
>> > installing something" that will bypass security, Macaulay, who wore
>> > torn
>> > blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
>> > Java, it'll be something else." (R)
>
> I really wish there was a way to stop websites from using flash. I
> can't think of a more useless program, not to mention it is
> proprietary. I use firefox to block flash since many websites are
> using flash for adverts.

In message
<1c29448f-1a2b-4179-b75a->
wrote:

>I really wish there was a way to stop websites from using flash.

Don't install Flash and you'll find the problem goes away.