Vista hacked on 3rd day thru Adobe Flash. Linux Undefeated.
Posted by HappyAndyK via WinVistaClub on 30 March 2008 - 14:51 · 84 comments & 42594 views
About the Author
Full name: Unknown
Forum name: +HappyAndyK
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: +HappyAndyK
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(11 replies)
#1 Posted by McLuke on 30 Mar 2008 - 15:14
- So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality. -
#1.1 Posted by SimNet on 30 Mar 2008 - 17:34
- (McLuke said @ #1)So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable. -
#1.2 Posted by Tikitiki on 30 Mar 2008 - 18:00
- (SimNet said @ #1.1)(McLuke said @ #1)So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.
Adobe doesn't come with windows by default, therefore his analogy is perfect. You'd have to manually download it and install it. -
#1.3 Posted by HalcyonX12 on 30 Mar 2008 - 18:18
- (McLuke said @ #1)So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?
IE's secure mode is supposed to prevent plugins from being taken advantage of in this way, any word if this was exploited? I mean, Linux runs Flash too... -
#1.4 Posted by ivanz on 30 Mar 2008 - 19:17
- Linux has thousands of "3rd party" software which comes standard...so I fail to see the analogy.
-
#1.5 Posted by seamer on 31 Mar 2008 - 00:09
- (ivanz said @ #1.4)Linux has thousands of "3rd party" software which comes standard...so I fail to see the analogy.
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see. -
#1.6 Posted by HalcyonX12 on 31 Mar 2008 - 00:52
- (seamer said @ #1.5)(ivanz said @ #1.4)Linux has thousands of "3rd party" software which comes standard...so I fail to see the analogy.
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.
On Ubuntu 7.10 (which they were using in the contest) you can install it by default through firefox, it has a modified version
Last edited by HalcyonX12 on 31 Mar 2008 - 01:04 -
#1.7 Posted by ivanz on 31 Mar 2008 - 03:54
- (seamer said @ #1.5)(ivanz said @ #1.4)Linux has thousands of "3rd party" software which comes standard...so I fail to see the analogy.
Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.
And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.
...and flash is standard in Windows? I think not.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company. -
#1.8 Posted by HalcyonX12 on 31 Mar 2008 - 05:55
- (ivanz said @ #1.7)...and flash is standard in Windows? I think not.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company.
Ok, but either way, flash was how Windows was hacked, and is available on Linux but it wasn't hacked. Windows also contains a lot of code from 3rd parties in the form of drivers and from software from the various companies they bought, even Trident, IE's rendering engine, was originally by a 3rd party. I don't know exactly what all this 3rd party stuff changes, unless it means that Linux is able to run 3rd party software securely. -
#1.9 Posted by The RatMan! on 31 Mar 2008 - 13:11
- Your analogy is correct.
Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.
This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources! -
#1.10 Posted by HalcyonX12 on 31 Mar 2008 - 16:46
- (The RatMan! said @ #1.9)Your analogy is correct.
Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.
This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources!
Agreed... it's very bizarre. Who knows if it was just theory or if it really could have been done. Although I really don't understand not wanting to win the prize, they could have just sold it even. -
#1.11 Posted by sphbecker on 01 Apr 2008 - 14:17
- (SimNet said @ #1.1)(McLuke said @ #1)So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?
If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.
The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.
A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc
The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.
In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.
The point is the MS does not include Adobe Flash with its product, so MS has no quality control over it. True, many OEMs ship it pre-loaded, so it is HP/Dell/Sony that is responsible for the software, not Microsoft.
-
(9 replies)
#2 Posted by craybox on 30 Mar 2008 - 15:22
- lets hope that Apple will take note and enforce security a little more against 3rd party holes if they can.
-
#2.1 Posted by winmoose on 30 Mar 2008 - 16:49
- Apples problem was not 3rd party, it was a component of their own OS.
-
#2.2 Posted by n_K on 30 Mar 2008 - 17:37
- (winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders -
#2.3 Posted by shockz on 30 Mar 2008 - 19:24
- (n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders. -
#2.4 Posted by Deviate_X on 30 Mar 2008 - 20:34
- (shockz said @ #2.3)(n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny. -
#2.5 Posted by theyarecomingforyou on 30 Mar 2008 - 21:04
- (Deviate_X said @ #2.4)Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
+1 -
#2.6 Posted by seamer on 31 Mar 2008 - 00:11
- (Deviate_X said @ #2.4)(shockz said @ #2.3)(n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network. -
#2.7 Posted by +Kushan on 31 Mar 2008 - 00:50
- (seamer said @ #2.6)(Deviate_X said @ #2.4)(shockz said @ #2.3)(n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones because they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway. -
#2.8 Posted by QuarterSwede on 31 Mar 2008 - 05:06
- (Kushan said @ #2.7)(seamer said @ #2.6)(Deviate_X said @ #2.4)(shockz said @ #2.3)(n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones becaus e they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway.
I'd like to add that no OS is unhackable. I have a friend who was employed by a defense contractor as a network monitor who monitored the network and shut down anybody trying to hack in.
These types of contests are great because they bring new exploits to light and give the companies wind of it to fix them. Fantastic no matter who your "rooting for." -
#2.9 Posted by sphbecker on 01 Apr 2008 - 14:20
- (seamer said @ #2.6)(Deviate_X said @ #2.4)(shockz said @ #2.3)(n_K said @ #2.2)(winmoose said @ #2.1)Apples problem was not 3rd party, it was a component of their own OS.
Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders
Right... having a rock solid OS pretty much proves they have great coders.
Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.
The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.
Would have had zero chance of success if the contest was run without a network.
That is not true, the hack was a webpage. The attacker constructed a webpage and doing nothing but viewing that webpage (not downloading code or running a script or doing anything a user should not do) caused the computer to be compromised through Apple's included web browser.
-
#3 Posted by naap51stang on 30 Mar 2008 - 15:23
- If the OS could block the 3rd party software......
"technically" the OS was at fault for not blocking it?
-
#4 Posted by +Neo003 on 30 Mar 2008 - 15:24
- Don't you have to install Flash first in Windows, Flash or shockwave don't come with windows OS.
-
(7 replies)
#5 Posted by gkeramidas on 30 Mar 2008 - 15:26
- i refuse to install that piece of junk flash on any of my pc's.
-
#5.2 Posted by hotdog963al on 30 Mar 2008 - 16:21
- LOL. O_o
Oh wait, yeah, I use elinks as my main browser, I refuse to see ****ty images and styles! PWWHOARR! -
#5.3 Posted by gkeramidas on 30 Mar 2008 - 23:27
- (acxz said @ #5.1)So you never watch videos on YouTube? o.O
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it. -
#5.4 Posted by +Kushan on 31 Mar 2008 - 00:54
- (gkeramidas said @ #5.3)(acxz said @ #5.1)So you never watch videos on YouTube? o.O
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites. -
#5.5 Posted by gkeramidas on 31 Mar 2008 - 02:47
- (Kushan said @ #5.4)(gkeramidas said @ #5.3)(acxz said @ #5.1)So you never watch videos on YouTube? o.O
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites.
you're right, but i'd rather be able to view what i want without being bothered. i hate trying to read articles while being distracted by those "flashing" ads. it's just my choice. -
#5.6 Posted by mrp04 on 31 Mar 2008 - 03:00
- (gkeramidas said @ #5.3)(acxz said @ #5.1)So you never watch videos on YouTube? o.O
nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.
when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.
use firefox with adblock -
#5.7 Posted by Dakkaroth on 31 Mar 2008 - 04:35
- (gkeramidas said @ #5.5)you're right, but i'd rather be able to view what i want without being bothered. i hate trying to read articles while being distracted by those "flashing" ads. it's just my choice.
I believe there's a flash block. Only plays the flash when you tell it to.
And as previously stated, adblock does pretty much all the ads so it's a non-issue.
-
#7 Posted by NimrodUK on 30 Mar 2008 - 15:29
- Last time I used IE7 (Which I assume with the so called no third party installs they used, even though Flash is one?) when I attempted to install flash not only did I get a UAC pop up, but also IE7 Protected Mode moaned at me saying content would run outside the protected mode if I installed flash?
Then surely that's ignoring security prompts and doesn't count... Just the same as going into Windows Firewall, turning it off ignoring the security prompts, then claiming you hacked it because its off...
Just my two cents.
-
(3 replies)
#8 Posted by Dualkelly on 30 Mar 2008 - 15:29
- if you think of an OS as a house and you build the walls out of 4inch lead and 2 inch steel and you use 8 inch steel doors and locks that are ultra secure but in your living room you put in big bright glass windows you defeat the purpose... it doesnt matter that your alarm system is hooked directly to your local troopers office a 2 year old can break into your house and destroy your life and livelyhood within seconds with just a brick... just a thought
-
#8.2 Posted by +GreyWolfSC on 30 Mar 2008 - 21:14
- [quote=n_K said,#8.1][quote=Dualkelly said,#8]if you think of an OS as a house...[/quote]
<snipped>
Wow, that's so clever... Never seen that before...
-
#9 Posted by +Neo003 on 30 Mar 2008 - 15:35
- ^ Dualkelly
It's an OS not a car (Mcluke) and not a house, If there's a security flaw is someone else's software who's fault is that. It's Adobe's job to make the software secure and MS to enforce it.
-
#10 Posted by +tunafish on 30 Mar 2008 - 15:49
- we all know adobe flash has major problems, it causes IE and FF to crash, not to mention the fact someone used a flow in it to hack an OS.
-
#12 Posted by mocax on 30 Mar 2008 - 16:07
- More ammo for Silverlight?
Well, unless that got hacked as well
-
#13 Posted by Dualkelly on 30 Mar 2008 - 16:37
- neo its an analogy.. the os is at fault if it allows 3rd party apps doesnt matter what OS it is...
fact of the matter is there will always be a way... until AI
-
#14 Posted by ibetheone on 30 Mar 2008 - 16:52
- http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up
All machines will be fully patched and in a default configuration. Simply put, if the vendor shipped it on the box and it's enabled, it's in scope.
Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
Now if you look at Day 1, not one team successfully hacked any of the operating systems without user interaction. On day 2 the mac os x was hacked prolly by using one of the similar methods below im thinking http://www.engadget.com/2008/02/07/new-iph...oit-discovered/
http://www.engadget.com/2007/07/23/safari-...of-your-iphone/
Also if you look at Dr. Charlie Millers website, he has hacked the (iphone)mac os x long before with similar exploits.....
http://www.securityevaluators.com/iphone/
Excerpt from his techincal whitepaper....
In order to find vulnerabilities on the iPhone,
a few options are available to a researcher.
Using jailbreak and iPhoneInterface, the binaries
can be extracted from the device and
statically analyzed, using a disassembler.
Additionally, since the MobileSafari and MobileMail
applications are based on the open
source WebKit project, a source code audit of
that package can be performed. Finally, dynamic
analysis, or fuzzing, can be executed
against the device. This involves sending
malformed data to the device in an effort to
cause a fault and make it crash. Such fuzzing
can be performed against applications
such as MobileSafari or against the WiFi or
BlueTooth stack.
The vulnerability we discovered and exploited
was found in MobileSafari using fuzzing.
http://www.securityevaluators.com/iphone/bh07.pdf -worth reading
Last edited by ibetheone on 30 Mar 2008 - 17:23
-
#15 Posted by Intelman on 30 Mar 2008 - 17:07
- Dualkelly, while it maybe an analogy, it isn't a very good one, I do not agree. I think Neo003 was making the same point.
-
(1 reply)
#16 Posted by dtomilson on 30 Mar 2008 - 17:33
- Nobody paid any attention to this at all. The hackers did not even TRY to hack the Linux box. They were too lazy.
http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up -
#16.1 Posted by
markjensen on 30 Mar 2008 - 17:40
- (dtomilson said @ #16)Nobody paid any attention to this at all. The hackers did not even TRY to hack the Linux box. They were too lazy.Where does it say that no one tried hacking the Ubuntu box? Nowhere.
http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up
-
(1 reply)
#17 Posted by dtomilson on 30 Mar 2008 - 17:45
- Okay, so it was another site. I am not sure how credible it is now. But nonetheless..
http://www.engadget.com/2008/03/29/linux-b...-own-unscathed/
In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."
Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.
Last edited by dtomilson on 30 Mar 2008 - 18:01 -
#17.1 Posted by markjensen on 30 Mar 2008 - 17:58
- (dtomilson said @ #17)Well I know I read it markjensen. I am sure I saw it on digg and the link I provided did have that information. I will try looking again.Oh, you read that. Somewhere. Do you have a credible link?
What I read was that the hackers did not want to have to code a script and that it was going to take too much time and effort.
Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.
I find it hard to believe people would turn down a large cash prize, the laptop, and the publicity just to figure out code to exploit the other two platforms. OSX was compromised by linking to a URL. Vista with a flash exploit. Surely something like that would work on the Ubuntu box, ya think?
I have said that the Ubuntu box is not immune to hacking, and even argued against an "unhackable" designation in a BPN thread (stupid thing to say about any OS). But I see no reason to say that no one tried to hack the Ubuntu box.
EDIT: I am honest enough to say that I *am* biased toward Open Source systems like Linux. It is what I prefer, and I support the use of Linux. However, I do try to form and express opinions on other OSes in a reasonable and logical manner. I appreciate that I get recognized as being somewhat level-headed
-
(1 reply)
#18 Posted by dtomilson on 30 Mar 2008 - 18:02
- I updated my post mark.
-
#18.1 Posted by markjensen on 30 Mar 2008 - 18:08
- I see that. One team claims to have identified a vulnerable vector. But did not attempt to exploit.
Which is nothing at all like claiming no one tried.
-
(1 reply)
#19 Posted by dtomilson on 30 Mar 2008 - 18:11
- I beg for your forgiveness.
-
#19.1 Posted by markjensen on 30 Mar 2008 - 18:13
- Nevah!
-
(1 reply)
#20 Posted by Tuffgong4 on 30 Mar 2008 - 18:46
- were all these systems fully up to date? (example w ith service pack 1 for vista installed?)
-
#20.1 Posted by markjensen on 30 Mar 2008 - 18:48
- Yes. All systems were fully updated with all released patches.
-
(9 replies)
#21 Posted by surfer777 on 30 Mar 2008 - 19:27
- A closer comparison would be to compare Linux to Windows Server 2008.
In all fairness to Vista - Adobe is the problem here not Microsoft. I am afraid Adobe is becoming more like Corel every day - they tend to take a great idea and just introduce all kinds of bugs and bloat to the solution. -
#21.1 Posted by markjensen on 30 Mar 2008 - 20:04
- (surfer777 said @ #21)...That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.
In all fairness to Vista - Adobe is the problem here not Microsoft.
It is bad, no matter how you slice it, and must get fixed. -
#21.2 Posted by Joe USer on 30 Mar 2008 - 20:18
- (markjensen said @ #21.1)(surfer777 said @ #21)...That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.
In all fairness to Vista - Adobe is the problem here not Microsoft.
It is bad, no matter how you slice it, and must get fixed.
I'm wondering how it got out of the IE sandbox in the first place. Was Flash in IE or Mozilla?
Now, if it broke out of IE, then yes Microsoft should fix things. If it was from another app like Mozilla, then there's not much Microsoft can do, if you install flawed software, you're going to have a problem, in any OS. -
#21.3 Posted by Islander on 30 Mar 2008 - 20:25
- (markjensen said @ #21.1)(surfer777 said @ #21)...That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.
In all fairness to Vista - Adobe is the problem here not Microsoft.
But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.
Sad world. -
#21.4 Posted by markjensen on 30 Mar 2008 - 20:46
- (Islander said @ #21.3)But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.Huh?
Sad world.
I have no idea how you got from anti-trust to Microsoft being powerless. -
#21.5 Posted by GP007 on 30 Mar 2008 - 23:52
- (markjensen said @ #21.4)(Islander said @ #21.3)But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.Huh?
Sad world.
I have no idea how you got from anti-trust to Microsoft being powerless.
He means how MS has bent over for anti-virus writers over kernel protection before. And they were talking about crying to the DoJ iirc. Also before SP1 for Vista Google moaned and cried to the DoJ and MS made those small search changes in the Vista UI.
So in a sense, MS is forced to make changes if you cry enough to the government. -
#21.6 Posted by markjensen on 31 Mar 2008 - 00:15
- My point is that those are all non-technical items. None of them are a reason why arbitrary user/system data should be sent because of an app compromise.
-
#21.7 Posted by Joe USer on 31 Mar 2008 - 03:53
- (markjensen said @ #21.6)My point is that those are all non-technical items. None of them are a reason why arbitrary user/system data should be sent because of an app compromise.
If you like to actually save and use data in multiple programs, they actually have to talk to each other. There's not much the OS can do if one of those programs decides to send your data off to the Internet, especially if one of the features of the program is to send data off to the Internet.
You can sandbox every application and lose the ability to exchange data between programs, or you can set tiers of security and apps in each tier can communicate with each other. If one of the programs in the tier is flawed, all of the data available to that tier can be compromised. I don't view that as a flaw in the OS, as all systems operate on similar levels of access.
What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox. -
#21.8 Posted by Express on 31 Mar 2008 - 04:40
- (Joe USer said @ #21.7)What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox.
Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself. -
#21.9 Posted by GP007 on 31 Mar 2008 - 06:05
- (Express said @ #21.
(Joe USer said @ #21.7)What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox.
Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself.
Well that answers your question. Why oh why does flash even need that if all it's doing is playing stuff within the browser?
I suppose you could blame MS for allowing adobe to have that in the first place.
-
(3 replies)
#22 Posted by Jaybonaut on 30 Mar 2008 - 20:15
- This is BS, you know damn well that no one worked their ass off to the extreme to TRY to hack anything with Linux - and you know it isn't because it would be too hard.
'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave. -
#22.1 Posted by ichi on 30 Mar 2008 - 23:04
- Sure, because absolutely no one wanted $10000 and a laptop
-
#22.2 Posted by Eis on 30 Mar 2008 - 23:20
- (Jaybonaut said @ #1)This is BS, you know damn well that no one worked their ass off to the extreme to TRY to hack anything with Linux - and you know it isn't because it would be too hard.
'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave.
Wow. I disagree with everything you just said.
-
(1 reply)
#23 Posted by rpgfan on 30 Mar 2008 - 21:31
- Why are people bashing this result? Has anybody considered the possibility that it could be the fault of the developers of the Flash technology? If that is the case, then both Vista and Linux are possibly at risk, unless it is a Vista-specific (or even Windows-specific) problem caused by the plugin system's behavior or the way Vista itself works.
I'm a Linux advocate, but I don't see the point in saying "Linux won only because Vista is easier to hack," or "Vista sucks! Linux rocks!" or anything else along those lines. While I personally feel that Linux is better than Vista, I feel compelled to note that the reason isn't better security. Of course, if Vista is at fault then it would be a definite advantage to the pro-Linux arguments. Also, saying that Linux is difficult to hack isn't necessarily true. The source is open for any hacker that wants to look at it. Why is it then that Windows is more often hacked than Linux? That is the question people should be asking if they want to argue Windows vs Linux, in my opinion. The most common answer is that Windows is more widespread. That is probably one reason, but it can't possibly be the only reason for thousands of hacks in Windows vs hundreds in Linux ("hundreds" is actually the high figure that I randomly put in there because the number of Windows hacks is at least ten times more than the number of Linux hacks).
I've resolved to stop my Vista bashing, despite the fact that it is so painful for me. Why? Vista isn't painful for everybody. For that reason, I feel Linux haters should also bash Linux less often. After all, the Linux experience isn't bad for everybody. This is coming from someone that vehemently feels Linux should have won against Windows years ago.
"The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system."
The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.