Vista hacked on 3rd day thru Adobe Flash. Linux Undefeated.

After Mac was hacked in 2 minutes at the CanSecWest Conference, it was now the time for Vista to get hacked on the 3rd day. Vista's security was compromised through the popular 3rd party software, Adobe Flash.

"The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system."

The MacBook Air went first; a Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.

Report a problem with article
Previous Story

Mobile phones 'more dangerous than smoking'

Next Story

OutlookBackupPro v1.0 build 1011

84 Comments

Commenting is disabled on this article.

Maybe we need an Open Programming Philosophy as well as a Free Software Licence here. Something to do with keeping terminals predictable N times out of N say.

One thing ALL of you have failed to realize:

What is the user base most commonly susceptible to hacker attacks:

DUMB COMMON USERS

What we feel are good safety measures, and what we install/run/use/beatoff (for the lulz) too is higher quality than the average user, and different. The common user has adobe flash installed either because their kid installed it because their favorite web chat needs it or some dumb website told them too. I haven't installed a copy of adobe flash since win 98. But it doesn't mean it is not a perfect weakness for current users.

Can anyone recommend a non-emulated flash player for me for arch linux please? Slightly off topic perhaps as they seem to be suggested to all be secure? Anything I can yaourt from source would be perfect at this point Thanks for reading so feel free to get back on topic below.

Wonder why they didn't test XP also, just for the heck of it, seeing as it is still so widely used?

Anyway,
Yay, Linux!! :redface:

Indeed! I don't think that anyone can argue that windows has become wayyyyy more secure, and that's coming from an apple user.
Now, if they manage the improve usability as much as they worked on security for vista, windows 7 will be a great OS.

Why are people bashing this result? Has anybody considered the possibility that it could be the fault of the developers of the Flash technology? If that is the case, then both Vista and Linux are possibly at risk, unless it is a Vista-specific (or even Windows-specific) problem caused by the plugin system's behavior or the way Vista itself works.

I'm a Linux advocate, but I don't see the point in saying "Linux won only because Vista is easier to hack," or "Vista sucks! Linux rocks!" or anything else along those lines. While I personally feel that Linux is better than Vista, I feel compelled to note that the reason isn't better security. Of course, if Vista is at fault then it would be a definite advantage to the pro-Linux arguments. Also, saying that Linux is difficult to hack isn't necessarily true. The source is open for any hacker that wants to look at it. Why is it then that Windows is more often hacked than Linux? That is the question people should be asking if they want to argue Windows vs Linux, in my opinion. The most common answer is that Windows is more widespread. That is probably one reason, but it can't possibly be the only reason for thousands of hacks in Windows vs hundreds in Linux ("hundreds" is actually the high figure that I randomly put in there because the number of Windows hacks is at least ten times more than the number of Linux hacks).

I've resolved to stop my Vista bashing, despite the fact that it is so painful for me. Why? Vista isn't painful for everybody. For that reason, I feel Linux haters should also bash Linux less often. After all, the Linux experience isn't bad for everybody. This is coming from someone that vehemently feels Linux should have won against Windows years ago. :P

(rpgfan said @ #1)
Why are people bashing this result?...

Why do people bash anything for that matter?

Answer: too much time on their hands.

This is BS, you know damn well that no one worked their ass off to the extreme to TRY to hack anything with Linux - and you know it isn't because it would be too hard.

'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave.

(Jaybonaut said @ #1)
This is BS, you know damn well that no one worked their ass off to the extreme to TRY to hack anything with Linux - and you know it isn't because it would be too hard.

'haxxorz' would be slamming their own system of choice - you know they love to target MS, and were far more motivated to do so, following the MS hate wave.

Wow. I disagree with everything you just said.

C'mon, you know the type. My scenario is far more likely than the opposite. Is there some underground community that is doing everything in its power to move people to MS other than MS themselves?

A closer comparison would be to compare Linux to Windows Server 2008.

In all fairness to Vista - Adobe is the problem here not Microsoft. I am afraid Adobe is becoming more like Corel every day - they tend to take a great idea and just introduce all kinds of bugs and bloat to the solution.

(surfer777 said @ #21)
...
In all fairness to Vista - Adobe is the problem here not Microsoft.
That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.

It is bad, no matter how you slice it, and must get fixed.

(markjensen said @ #21.1)
That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.

It is bad, no matter how you slice it, and must get fixed.

I'm wondering how it got out of the IE sandbox in the first place. Was Flash in IE or Mozilla?

Now, if it broke out of IE, then yes Microsoft should fix things. If it was from another app like Mozilla, then there's not much Microsoft can do, if you install flawed software, you're going to have a problem, in any OS.

(markjensen said @ #21.1)
That is just trying to rationalize the problem. Yes, Adobe has the flaw, but the OS allowed the the compromise to succeed and file contents were read remotely. In this case, the remote hacker would have been potentially able to read banking info, or system files.

But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.

Sad world.

(Islander said @ #21.3)
But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.

Sad world.

Huh?

I have no idea how you got from anti-trust to Microsoft being powerless.

(markjensen said @ #21.4)
(Islander said @ #21.3)
But it's also true the more Windows is being restricted for software integration, the more companies start crying and whining, we have seen it not long ago with antivirus software, haven't we? If Microsoft (just to give a concrete example) would completely deny system access [beyond the browser] to the flash plugin, the plugin would probably stop working. And Adobe would not recode their software... they would sue Microsoft.

Sad world.

Huh?

I have no idea how you got from anti-trust to Microsoft being powerless.

He means how MS has bent over for anti-virus writers over kernel protection before. And they were talking about crying to the DoJ iirc. Also before SP1 for Vista Google moaned and cried to the DoJ and MS made those small search changes in the Vista UI.

So in a sense, MS is forced to make changes if you cry enough to the government.

My point is that those are all non-technical items. None of them are a reason why arbitrary user/system data should be sent because of an app compromise.

(markjensen said @ #21.6)
My point is that those are all non-technical items. None of them are a reason why arbitrary user/system data should be sent because of an app compromise.

If you like to actually save and use data in multiple programs, they actually have to talk to each other. There's not much the OS can do if one of those programs decides to send your data off to the Internet, especially if one of the features of the program is to send data off to the Internet.

You can sandbox every application and lose the ability to exchange data between programs, or you can set tiers of security and apps in each tier can communicate with each other. If one of the programs in the tier is flawed, all of the data available to that tier can be compromised. I don't view that as a flaw in the OS, as all systems operate on similar levels of access.

What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox.

(Joe USer said @ #21.7)
What concerns me is that normally Vista keeps IE in a sandbox, called Protected mode, and runs it at a very low level of security, with very little access to files. Which is why I want to see more details about how flash got out of protected mode and gained system access. The only ways I could really see this happening is if Protected mode was off, flash wasn't running in IE (e.g. in mozilla or opera), or they broke IE's sandbox.

Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself.

(Express said @ #21.8)

Flash runs an program FlashUtil9e.exe, this executable is used to bypass all protected mode restrictions imposed by IE.
You can safely delete this executable if you want to prevent Flash from elevating itself.

Well that answers your question. Why oh why does flash even need that if all it's doing is playing stuff within the browser?

I suppose you could blame MS for allowing adobe to have that in the first place.

I see that. One team claims to have identified a vulnerable vector. But did not attempt to exploit.

Which is nothing at all like claiming no one tried.

Okay, so it was another site. I am not sure how credible it is now. But nonetheless..

http://www.engadget.com/2008/03/29/linux-b...-own-unscathed/

In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."

Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.

(dtomilson said @ #17)
Well I know I read it markjensen. I am sure I saw it on digg and the link I provided did have that information. I will try looking again.

What I read was that the hackers did not want to have to code a script and that it was going to take too much time and effort.

Just some FYI for others (not you markjensen as you are unbiased if I have ever seen anyone! - not sarcasm), the Vista was 32bit and did not have SP1 installed and Adobe's flash application was the undoing of the system.

Oh, you read that. Somewhere. Do you have a credible link?

I find it hard to believe people would turn down a large cash prize, the laptop, and the publicity just to figure out code to exploit the other two platforms. OSX was compromised by linking to a URL. Vista with a flash exploit. Surely something like that would work on the Ubuntu box, ya think?

I have said that the Ubuntu box is not immune to hacking, and even argued against an "unhackable" designation in a BPN thread (stupid thing to say about any OS). But I see no reason to say that no one tried to hack the Ubuntu box.


EDIT: I am honest enough to say that I *am* biased toward Open Source systems like Linux. It is what I prefer, and I support the use of Linux. However, I do try to form and express opinions on other OSes in a reasonable and logical manner. I appreciate that I get recognized as being somewhat level-headed

http://dvlabs.tippingpoint.com/blog/2008/0...day-and-wrap-up

All machines will be fully patched and in a default configuration. Simply put, if the vendor shipped it on the box and it's enabled, it's in scope.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.


Now if you look at Day 1, not one team successfully hacked any of the operating systems without user interaction. On day 2 the mac os x was hacked prolly by using one of the similar methods below im thinking http://www.engadget.com/2008/02/07/new-iph...oit-discovered/
http://www.engadget.com/2007/07/23/safari-...of-your-iphone/

Also if you look at Dr. Charlie Millers website, he has hacked the (iphone)mac os x long before with similar exploits.....
http://www.securityevaluators.com/iphone/

Excerpt from his techincal whitepaper....

In order to find vulnerabilities on the iPhone,
a few options are available to a researcher.
Using jailbreak and iPhoneInterface, the binaries
can be extracted from the device and
statically analyzed, using a disassembler.
Additionally, since the MobileSafari and MobileMail
applications are based on the open
source WebKit project, a source code audit of
that package can be performed.
Finally, dynamic
analysis, or fuzzing, can be executed
against the device. This involves sending
malformed data to the device in an effort to
cause a fault and make it crash. Such fuzzing
can be performed against applications
such as MobileSafari or against the WiFi or
BlueTooth stack.
The vulnerability we discovered and exploited
was found in MobileSafari using fuzzing.

http://www.securityevaluators.com/iphone/bh07.pdf -worth reading

neo its an analogy.. the os is at fault if it allows 3rd party apps doesnt matter what OS it is...
fact of the matter is there will always be a way... until AI

we all know adobe flash has major problems, it causes IE and FF to crash, not to mention the fact someone used a flow in it to hack an OS.

^ Dualkelly
It's an OS not a car (Mcluke) and not a house, If there's a security flaw is someone else's software who's fault is that. It's Adobe's job to make the software secure and MS to enforce it.

if you think of an OS as a house and you build the walls out of 4inch lead and 2 inch steel and you use 8 inch steel doors and locks that are ultra secure but in your living room you put in big bright glass windows you defeat the purpose... it doesnt matter that your alarm system is hooked directly to your local troopers office a 2 year old can break into your house and destroy your life and livelyhood within seconds with just a brick... just a thought

Last time I used IE7 (Which I assume with the so called no third party installs they used, even though Flash is one?) when I attempted to install flash not only did I get a UAC pop up, but also IE7 Protected Mode moaned at me saying content would run outside the protected mode if I installed flash?

Then surely that's ignoring security prompts and doesn't count... Just the same as going into Windows Firewall, turning it off ignoring the security prompts, then claiming you hacked it because its off...

Just my two cents.

(acxz said @ #5.1)
So you never watch videos on YouTube? o.O

nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.

when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.

(gkeramidas said @ #5.3)

nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.

when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.

If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites.

(Kushan said @ #5.4)

If you use firefox, you can install an extension that will block all flash objects by default. Or better yet, just block all the ads.
You've pretty much cut yourself off from about 1/3 of the internet's most interesting sites.

you're right, but i'd rather be able to view what i want without being bothered. i hate trying to read articles while being distracted by those "flashing" ads. it's just my choice.

(gkeramidas said @ #5.3)

nope, if it requires flash, i don't visit the website. it's too distracting trying to read anything with all of the ads that blink, and play sound.

when a version of flash or silverlight that allows only running on sites i designate becomes available, then i'll install it.

use firefox with adblock

(gkeramidas said @ #5.5)
you're right, but i'd rather be able to view what i want without being bothered. i hate trying to read articles while being distracted by those "flashing" ads. it's just my choice.

I believe there's a flash block. Only plays the flash when you tell it to.

And as previously stated, adblock does pretty much all the ads so it's a non-issue.

(winmoose said @ #2.1)
Apples problem was not 3rd party, it was a component of their own OS.

Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders

(n_K said @ #2.2)

Own ? Apple made it ? Heh true actually, BSD doesn't seem to have the problem, haha apple can't even hire good coders

Right... having a rock solid OS pretty much proves they have great coders.

(Deviate_X said @ #2.4)

Its not a rock solid OS if it gets compromised after 2 minutes of scrutiny.

The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.

Would have had zero chance of success if the contest was run without a network.

(seamer said @ #2.6)

The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.

Would have had zero chance of success if the contest was run without a network.

So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones because they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway.

(Kushan said @ #2.7)

So it's not a real hack because he didn't use a command line?
And I'd like to see you break into ANY computer without network or physical access to it. Besides, network vulnerabilities are the most serious ones becaus e they can potentially be done from absolutely anywhere - once you've got physical access to a machine, any "security" holes are more or less redundant because you can usually do what you want directly to it anyway.


I'd like to add that no OS is unhackable. I have a friend who was employed by a defense contractor as a network monitor who monitored the network and shut down anybody trying to hack in.

These types of contests are great because they bring new exploits to light and give the companies wind of it to fix them. Fantastic no matter who your "rooting for."

(seamer said @ #2.6)


The "hack" was downloaded, not crafted or executed manually by an enterprising individual. Didn't even bother to use a command line to achieve the result.

Would have had zero chance of success if the contest was run without a network.


That is not true, the hack was a webpage. The attacker constructed a webpage and doing nothing but viewing that webpage (not downloading code or running a script or doing anything a user should not do) caused the computer to be compromised through Apple's included web browser.

So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?

If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.

(McLuke said @ #1)
So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?

If someone bought a car and installed a faulty GPS on it, it will be unfair to say the car is of low quality.

The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.

A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc

The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.

In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.

(SimNet said @ #1.1)

The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.

A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc

The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.

In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.

Adobe doesn't come with windows by default, therefore his analogy is perfect. You'd have to manually download it and install it.

(McLuke said @ #1)
So it's the 3rd party software hacked, technically we cannot say it's the OS that has the software hacked. Right?

IE's secure mode is supposed to prevent plugins from being taken advantage of in this way, any word if this was exploited? I mean, Linux runs Flash too...

(ivanz said @ #1.4)
Linux has thousands of "3rd party" software which comes standard...so I fail to see the analogy.

Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.

And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.

(seamer said @ #1.5)

Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.

And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.

On Ubuntu 7.10 (which they were using in the contest) you can install it by default through firefox, it has a modified version

(seamer said @ #1.5)

Linux wasn't broken into. In Vista, Flash has to be manually downloaded from a third party.

And I do believe that with all versions of Linux, Flash has to be obtained from elsewhere via apt or yum. So your comment makes no valid point that I can see.

...and flash is standard in Windows? I think not.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company.

(ivanz said @ #1.7)
...and flash is standard in Windows? I think not.
My point is 100% of the software in Linux is "3rd party," whereas everything in the base install of OSX and Windows is developed by the company.

Ok, but either way, flash was how Windows was hacked, and is available on Linux but it wasn't hacked. Windows also contains a lot of code from 3rd parties in the form of drivers and from software from the various companies they bought, even Trident, IE's rendering engine, was originally by a 3rd party. I don't know exactly what all this 3rd party stuff changes, unless it means that Linux is able to run 3rd party software securely.

Your analogy is correct.

Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.

This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources!

(The RatMan! said @ #1.9)
Your analogy is correct.

Beyond that, if you read the whole article, Vista was first hacked at the conference using a Java vulnerability the author said could also be used on Linux and MacOS. Another person interviewed said that apparently there was little interest in trying to hack Linux and everyone thought the MacOS would be easiest to hack.

This selective reporting does no one any good and appears to be slanted towards Linux. We need better from independent sources!

Agreed... it's very bizarre. Who knows if it was just theory or if it really could have been done. Although I really don't understand not wanting to win the prize, they could have just sold it even.

(SimNet said @ #1.1)

The applications are standard, GPS doesn't come in all cars thus ur analogy is faulty itself.

A better example would be if the car came with ****ty tires and this led to the car into increased crashes, etc

The tires are standard on all vehicles, and in this same way, Adobe is standard on almost every OS and computer in order to view content on the internet.

In a way, you're right, it's the App's fault, But the tire itself being weak and being installed on the car leads the car vunlerable.

The point is the MS does not include Adobe Flash with its product, so MS has no quality control over it. True, many OEMs ship it pre-loaded, so it is HP/Dell/Sony that is responsible for the software, not Microsoft.