Feeds

Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest

Contestant overcomes bout of 'hacktile dysfunction'

Providing a secure and efficient Helpdesk

CanSecWest A laptop running a fully patched version of Microsoft's Vista operating system was the second and final machine to fall in a hacking contest that pitted the security of Windows, OS X and Ubuntu Linux. With both a Windows and Mac machine felled, only the Linux box remained standing following the three-day competition.

Shane Macaulay, who played a hand bringing down a Mac during last year's Pwn2Own contest, defeated the Vista machine using a previously unknown vulnerability in Adobe Flash. On final day of the CanSecWest conference in Vancouver, Macaulay spent the better part of four hours trying to get the exploit to work. (The delay prompted one spectator to playfully dub the difficulty "hacktile dysfunction.")

A MacBook Pro running a fully patched version of Leopard was the first to drop out during day two of the race, when researchers from Independent Security Evaluators demonstrated a previously unknown vulnerability in Apple's Safari browser. With brand new boxes running both Ubuntu and Vista remaining, Macaulay spent day three switching back and forth between the two machines, trying to get his Flash exploit to execute properly. He was assisted by Alex Sotirov, a security researcher at VMware.

Initially thwarting Macaulay's efforts was the recently released Service Pack 1 for Vista, which he had neglected to install when testing the Flash exploit in the days leading up to the contest. Per the contest rules, each target machine had to be fully patched, and when the researcher first ran the code during the competition, new page protections added by Microsoft's security team prevented the exploit from properly executing.

"They had done some stuff in Vista to prohibit this form of attack from being successful on third party software," Macaulay said minutes after he finally commandeered the Fujitsu U810 laptop. "We had to do some porting to get around that issue."

Macaulay and Sotirov fashioned some javascript to circumvent the new measure, a feat that effectively allows them "to render that protection ineffective," Macaulay said.

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would probably sell the machine, which he and Sotirov autographed with a black Sharpie pen, on eBay.

Under contest rules, qualifying exploits on day one had to target default installations of the operating system itself and winners were allowed to walk away with the hacked box and a $20,000 bounty. Contest organizers gradually expanded the eligible attack surface on days two and three by allowing an vulnerabilities in an increasing number of third party applications. The bounty dropped to $10,000 on day 2 and $5,000 on day three. No one bothered competing on day one.

Plenty of commentators have made hay of the MacBook Pro being the first to exit the race, and Linux zealots are sure to conclude the contest results prove the superiority of that platform. Maybe. But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

The better take-away is that exploits like these are a fact of life for everyone no matter what kind of machine they choose (are you listening, Mac Guy?). Another lesson: just as quickly as Microsoft or any other developer adds new measures like page protection to their code base, hackers, ethical and otherwise, are find ways to work around them.

"Nobody can do anything about it, because you're always going to be installing something" that will bypass security, Macaulay, who wore torn blue jeans and a Puma jogging jacket, said with a shrug. "If it's not Java, it'll be something else." ®

Internet Security Threat Report 2014

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.