Feeds

Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest

Contestant overcomes bout of 'hacktile dysfunction'

Providing a secure and efficient Helpdesk

CanSecWest A laptop running a fully patched version of Microsoft's Vista operating system was the second and final machine to fall in a hacking contest that pitted the security of Windows, OS X and Ubuntu Linux. With both a Windows and Mac machine felled, only the Linux box remained standing following the three-day competition.

Shane Macaulay, who played a hand bringing down a Mac during last year's Pwn2Own contest, defeated the Vista machine using a previously unknown vulnerability in Adobe Flash. On final day of the CanSecWest conference in Vancouver, Macaulay spent the better part of four hours trying to get the exploit to work. (The delay prompted one spectator to playfully dub the difficulty "hacktile dysfunction.")

A MacBook Pro running a fully patched version of Leopard was the first to drop out during day two of the race, when researchers from Independent Security Evaluators demonstrated a previously unknown vulnerability in Apple's Safari browser. With brand new boxes running both Ubuntu and Vista remaining, Macaulay spent day three switching back and forth between the two machines, trying to get his Flash exploit to execute properly. He was assisted by Alex Sotirov, a security researcher at VMware.

Initially thwarting Macaulay's efforts was the recently released Service Pack 1 for Vista, which he had neglected to install when testing the Flash exploit in the days leading up to the contest. Per the contest rules, each target machine had to be fully patched, and when the researcher first ran the code during the competition, new page protections added by Microsoft's security team prevented the exploit from properly executing.

"They had done some stuff in Vista to prohibit this form of attack from being successful on third party software," Macaulay said minutes after he finally commandeered the Fujitsu U810 laptop. "We had to do some porting to get around that issue."

Macaulay and Sotirov fashioned some javascript to circumvent the new measure, a feat that effectively allows them "to render that protection ineffective," Macaulay said.

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would probably sell the machine, which he and Sotirov autographed with a black Sharpie pen, on eBay.

Under contest rules, qualifying exploits on day one had to target default installations of the operating system itself and winners were allowed to walk away with the hacked box and a $20,000 bounty. Contest organizers gradually expanded the eligible attack surface on days two and three by allowing an vulnerabilities in an increasing number of third party applications. The bounty dropped to $10,000 on day 2 and $5,000 on day three. No one bothered competing on day one.

Plenty of commentators have made hay of the MacBook Pro being the first to exit the race, and Linux zealots are sure to conclude the contest results prove the superiority of that platform. Maybe. But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

The better take-away is that exploits like these are a fact of life for everyone no matter what kind of machine they choose (are you listening, Mac Guy?). Another lesson: just as quickly as Microsoft or any other developer adds new measures like page protection to their code base, hackers, ethical and otherwise, are find ways to work around them.

"Nobody can do anything about it, because you're always going to be installing something" that will bypass security, Macaulay, who wore torn blue jeans and a Puma jogging jacket, said with a shrug. "If it's not Java, it'll be something else." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.