After Mac was hacked in 2 minutes at the CanSecWest Conference, it was now the time for Vista to get hacked on the 3rd day. Vista's security was compromised through the popular 3rd party software, Adobe Flash.
"The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system."
The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.
"The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system."
The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.
Adobe doesn't come with windows by default, therefore his analogy is perfect. You'd have to manually download it and install it.
IE's secure mode is supposed to prevent plugins from being taken advantage of in this way, any word if this was exploited? I mean, Linux runs Flash too...
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.
On Ubuntu 7.10 (which they were using in the contest) you can install it by default through firefox, it has a modified version
Last edited by HalcyonX12 on 31 Mar 2008 - 01:04
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.
...and flash is standard in Windows? I think not.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company.
Ok, but either way, flash was how Windows was hacked, and is available on Linux but it wasn't hacked. Windows also contains a lot of code from 3rd parties in the form of drivers and from software from the various companies they bought, even Trident, IE's rendering engine, was originally by a 3rd party. I don't know exactly what all this 3rd party stuff changes, unless it means that Linux is able to run 3rd party software securely.
Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.
This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources!
Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.
This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources!
Agreed... it's very bizarre. Who knows if it was just theory or if it really could have been done. Although I really don't understand not wanting to win the prize, they could have just sold it even.
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.
The point is the MS does not include Adobe Flash with its product, so MS has no quality control over it. True, many OEMs ship it pre-loaded, so it is HP/Dell/Sony that is responsible for the software, not Microsoft.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
+1
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones because they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones becaus e they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway.
I'd like to add that no OS is unhackable. I have a friend who was employed by a defense contractor as a network monitor who monitored the network and shut down anybody trying to hack in.
These types of contests are great because they bring new exploits to light and give the companies wind of it to fix them. Fantastic no matter who your "rooting for."
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
That is not true, the hack was a webpage. The attacker constructed a webpage and doing nothing but viewing that webpage (not downloading code or running a script or doing anything a user should not do) caused the computer to be compromised through Apple's included web browser.
"technically" the OS was at fault for not blocking it?
Oh wait, yeah, I use elinks as my main browser, I refuse to see ****ty images and styles! PWWHOARR!
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites.
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites.
you're right, but i'd rather be able to view what i want without being bothered. i hate trying to read articles while being distracted by those "flashing" ads. it's just my choice.
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
use firefox with adblock
I believe there's a flash block. Only plays the flash when you tell it to.
And as previously stated, adblock does pretty much all the ads so it's a non-issue.
Then surely that's ignoring security prompts and doesn't count... Just the same as going into Windows Firewall, turning it off ignoring the security prompts, then claiming you hacked it because its off...
Just my two cents.
<snipped>
Wow, that's so clever... Never seen that before...
Well, unless that got hacked as well
fact of the matter is there will always be a way... until AI
All machines will be fully patched and in a default configuration. Simply put, if the vendor shipped it on the box and it's enabled, it's in scope.
Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
Now if you look at Day 1, not one team successfully hacked any of the operating systems without user interaction. On day 2 the mac os x was hacked prolly by using one of the similar methods below im thinking http://www.engadget.com/2008/02/07/new-iph...oit-discovered/
http://www.engadget.com/2007/07/23/safari-...of-your-iphone/
Also if you look at Dr. Charlie Millers website, he has hacked the (iphone)mac os x long before with similar exploits.....
http://www.securityevaluators.com/iphone/
Excerpt from his techincal whitepaper....
In order to find vulnerabilities on the iPhone,
a few options are available to a researcher.
Using jailbreak and iPhoneInterface, the binaries
can be extracted from the device and
statically analyzed, using a disassembler.
Additionally, since the MobileSafari and MobileMail
applications are based on the open
source WebKit project, a source code audit of
that package can be performed. Finally, dynamic
analysis, or fuzzing, can be executed
against the device. This involves sending
malformed data to the device in an effort to
cause a fault and make it crash. Such fuzzing
can be performed against applications
such as MobileSafari or against the WiFi or
BlueTooth stack.
The vulnerability we discovered and exploited
was found in MobileSafari using fuzzing.
http://www.securityevaluators.com/iphone/bh07.pdf -worth reading
Last edited by ibetheone on 30 Mar 2008 - 17:23
http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up
http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up
http://www.engadget.com/2008/03/29/linux-b...-own-unscathed/
In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."
Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.
Last edited by dtomilson on 30 Mar 2008 - 18:01
What I read was that the hackers did not want to have to code a script and that it was going to take too much time and effort.
Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.
I find it hard to believe people would turn down a large cash prize, the laptop, and the publicity just to figure out code to exploit the other two platforms. OSX was compromised by linking to a URL. Vista with a flash exploit. Surely something like that would work on the Ubuntu box, ya think?
I have said that the Ubuntu box is not immune to hacking, and even argued against an "unhackable" designation in a BPN thread (stupid thing to say about any OS). But I see no reason to say that no one tried to hack the Ubuntu box.
EDIT: I am honest enough to say that I *am* biased toward Open Source systems like Linux. It is what I prefer, and I support the use of Linux. However, I do try to form and express opinions on other OSes in a reasonable and logical manner. I appreciate that I get recognized as being somewhat level-headed
Which is nothing at all like claiming no one tried.
In all fairness to Vista - Adobe is the problem here not Microsoft. I am afraid Adobe is becoming more like Corel every day - they tend to take a great idea and just introduce all kinds of bugs and bloat to the solution.
In all fairness to Vista - Adobe is the problem here not Microsoft.
It is bad, no matter how you slice it, and must get fixed.
In all fairness to Vista - Adobe is the problem here not Microsoft.
It is bad, no matter how you slice it, and must get fixed.
I'm wondering how it got out of the IE sandbox in the first place. Was Flash in IE or Mozilla?
Now, if it broke out of IE, then yes Microsoft should fix things. If it was from another app like Mozilla, then there's not much Microsoft can do, if you install flawed software, you're going to have a problem, in any OS.
In all fairness to Vista - Adobe is the problem here not Microsoft.
But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.
Sad world.
Sad world.
I have no idea how you got from anti-trust to Microsoft being powerless.
Sad world.
I have no idea how you got from anti-trust to Microsoft being powerless.
He means how MS has bent over for anti-virus writers over kernel protection before. And they were talking about crying to the DoJ iirc. Also before SP1 for Vista Google moaned and cried to the DoJ and MS made those small search changes in the Vista UI.
So in a sense, MS is forced to make changes if you cry enough to the government.
If you like to actually save and use data in multiple programs, they actually have to talk to each other. There's not much the OS can do if one of those programs decides to send your data off to the Internet, especially if one of the features of the program is to send data off to the Internet.
You can sandbox every application and lose the ability to exchange data between programs, or you can set tiers of security and apps in each tier can communicate with each other. If one of the programs in the tier is flawed, all of the data available to that tier can be compromised. I don't view that as a flaw in the OS, as all systems operate on similar levels of access.
What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox.
Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself.
Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself.
Well that answers your question. Why oh why does flash even need that if all it's doing is playing stuff within the browser?
I suppose you could blame MS for allowing adobe to have that in the first place.
'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave.
'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave.
Wow. I disagree with everything you just said.
I'm a Linux advocate, but I don't see the point in saying "Linux won only because Vista is easier to hack," or "Vista sucks! Linux rocks!" or anything else along those lines. While I personally feel that Linux is better than Vista, I feel compelled to note that the reason isn't better security. Of course, if Vista is at fault then it would be a definite advantage to the pro-Linux arguments. Also, saying that Linux is difficult to hack isn't necessarily true. The source is open for any hacker that wants to look at it. Why is it then that Windows is more often hacked than Linux? That is the question people should be asking if they want to argue Windows vs Linux, in my opinion. The most common answer is that Windows is more widespread. That is probably one reason, but it can't possibly be the only reason for thousands of hacks in Windows vs hundreds in Linux ("hundreds" is actually the high figure that I randomly put in there because the number of Windows hacks is at least ten times more than the number of Linux hacks).
I've resolved to stop my Vista bashing, despite the fact that it is so painful for me. Why? Vista isn't painful for everybody. For that reason, I feel Linux haters should also bash Linux less often. After all, the Linux experience isn't bad for everybody. This is coming from someone that vehemently feels Linux should have won against Windows years ago.
Why do people bash anything for that matter?
Answer: too much time on their hands.
http://www.networkworld.com/news/2008/0329...rc=rss-security
http://www.networkworld.com/news/2008/0329...rc=rss-security
I think I would put my money on Flash, until some time that the contest holders say that they were wrong.
Now, if they manage the improve usability as much as they worked on security for vista, windows 7 will be a great OS.
Anyway,
Yay, Linux!!
+1.
Hacker basement :|
What is the user base most commonly susceptible to hacker attacks:
DUMB COMMON USERS
What we feel are good safety measures, and what we install/run/use/beatoff (for the lulz) too is higher quality than the average user, and different. The common user has adobe flash installed either because their kid installed it because their favorite web chat needs it or some dumb website told them too. I haven't installed a copy of adobe flash since win 98. But it doesn't mean it is not a perfect weakness for current users.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.