back to article Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest

A laptop running a fully patched version of Microsoft's Vista operating system was the second and final machine to fall in a hacking contest that pitted the security of Windows, OS X and Ubuntu Linux. With both a Windows and Mac machine felled, only the Linux box remained standing following the three-day competition. Shane …

COMMENTS

This topic is closed for new posts.
  1. Dive Fox
    Coat

    The only machine truly secure from remote exploits...

    ...is the one not connected to the Internet and locked in a vault.

    Additionally, the user is as important a part of the machine's security as the OS is, if not more. All the security in the world won't protect a user from their own actions.

  2. Sirus Black
    Flame

    Wooohoooo

    Goooo Ubuntuu ..

    Now Mac Fanboys Can Fire Windows Ones

    And Ubuntu Fanboys Can Fire 'em Both

  3. Carlo Graziani

    Pity...

    It's a pity they couldn't break the Linux box. Then we would have seen the real security metric: how quickly and effectively does each platform vendor supply a patch for the newly-revealed vulnerability.

    My money would be on the Linux vendor to release first, by weeks.

  4. Martin Owens

    The importance of source code

    Weather it's flash or nvidia drivers; proprietary code is a security problem. It's all right when it works but I'd feel safer if all those who put these little black boxes in the linux platform would open source them or be replaced with things like gnash (when it's finished) and the nvidia nouvou driver.

    Otherwise there will always be something you'll never be sure of security wise.

  5. Pierre
    Thumb Up

    ... African word meaning "tougher than you"...

    And the best part is that it was an out-of-the box unhardened desktop version of a sub-Debian for lazy people. I can hear the crow-eating comment coming.

    No real surprise though. The really good laugh was the Fall of the Mighty Apple. The fanbois might stop saying stupid things like "Macs are the most secure things ever". Or "I'd be happy to let my mac outside a firewall without protection", for that matter. Seriously, even if most Linux boxes are more secure by design than macs, I never heard a single penguin-lover say that his/her machine doesn't need protection. (same stands for BSD). It was about time for apple-eaters to wake up.

  6. toxic monkey
    Paris Hilton

    equal effort?

    Be nice to knowhow many hours were spent on creating each hack.

    That would give some indication of a) the difficulty of finding the explot and b) any hacker bias for/against an OS as I doubt equal time was spent on the Linux hack as it's much more sexy to hit the big guys

    Paris, cos it's Saturday night.... ;-)

  7. SilverWave
    Linux

    Shouldn't laugh really :)

    hmm I wonder if that exploit would get past firefox?

    Or what about Ubuntu and Firefox?

    Not sure I buy that guys throwaway line about Ubuntu being easy to crack... talk is cheap - *show me*

    Oh and no I just cant resist it...

    hahaha :)

  8. Remy Redert

    Release time

    Well, do not underestimate Microsoft and Apple. I'm fairly certain that if they REALLY want to, they could release a patch within a couple of days.

    It's just that they never really want to, and why would they bother rushing to get things patched? It's not like Joe average can do anything about it if they decide to take their sweet time.

  9. Brett Brennan
    Coat

    How about some servers next time?

    Although this competition does have some interesting and useful points - and a largely unnoticed one is that "new and shiny" doesn't always equate to "safe and sound" (pricey new hardware and OS often are "protected" for a while by their scarcity on the ground) - it pretty much sews up what most IT professionals have known for years: a "home" platform, regardless of its merits, will fall to a determined hack when it is attacked. This is why major ISPs are removing as much damaging capability on their consumer networks as quickly as possible. Reduce the attack surface from the little farmers with their pitchforks and torches, and everyone can sleep tonight.

    Hence the topic: what about a serious server pwn2own contest? Get three major server vendors - like IBM, HP, Sun, etc. - to provide a nice mid-class server platform configured for a "typical" firewall task. A web server, mail server, ecommerce server, etc. Three different OS and hardware platforms (Power/AIX, Intel/Windows, SPARC/Solaris), also patched and configured by the vendors to spec. Then let the games begin: whoever can get the target server to spew unauthorized scripting (should be a suitably innocuous script provided as the test piece by the event organizers) wins. Get the vendors to kick into the kitty for a prize (most competitors won't REALLY want a blade server and disk farm to take home, will they?) and see what come out of this.

    I think this would be an important twist in that we'd see what the world would look like if it were reduced to a Utility Computing cloud, with end-users effectively defanged and all work housed inside the Fortress Data Center. I'm sure the result would show the World is not safer in the castle than it is in its huts today. But the lesson needs to go on record just the same.

    Mine's the delivery order with 2 pizzas and a twelver of stout, wrapped in the thermal blanket...

  10. Anonymous Coward
    Joke

    So no OS bashing please

    Good work Ubuntu, I'm proud. Shame that these exploits used against specific OS', could have been used against all. Kind of ruins the victory.

    Anyway this exploit being flash based, who uses flash anyway, especially on 64bit systems and with silverlight such a hit. ;)

  11. Anonymous Coward
    Anonymous Coward

    Never mind these Fisher Price operating systems....

    .. I'll stick with Solaris....

  12. b166er

    Blame/Flame/Shame

    Thing is, the vulnerability on the Mac, was Apple's fault (their browser), but the Vista exploit sounds like it was Adobe's fault. As Macaulay pointed out, with a little more work, the exploit would have worked across all three platforms.

    Also noted in the article, was the fact that he spent the day switching back and forth between the 2 remaining systems. Perhaps he was more fluent with Windows than Linux ;~) (or couldn't bring himself to let the penguin down and big up Vista)

    Still, I like a good laugh, flame on!

  13. Michael Law
    Thumb Up

    A good sign

    Its fairly good to see that M$ has managed to sort their lives out with security over the past few years. From going with XP and no service packs that is bot netted in minutes to vista taking 2 days and only then with a flaw in Flash. I still wouldnt have vista cos it still sucks.

    Its also nice to see a demonstration of the mac getting owned so quickly.

    Cudos to penguin boys for keeping their OS safe :)

  14. Anonymous Coward
    Anonymous Coward

    More's the Pity ...

    Following on from Carlo's comment:

    Although useful in raising security awareness in general and, more specifically, demonstrating that most systems can still be hacked even when fully patched, the contest doesn't show the aggregate risk of each OS/application suite. I'd wager that Mac OS X still presents lower exposure overall than Vista SP1, all things considered.

  15. Pierre
    Linux

    Debian laptop in DMZ

    (fanboi)

    Now I feel allowed to let my Debian laptop sit in the DMZ indefinitely, with no security at all (I disabled all my secure settings, as, you know, I don't need them: it's unhackable anyway)

    (/fanboi)

    If you wish to give it a try, my IP is 127.0.0.1

  16. Ian McNee
    Linux

    re: Pity...

    Yep we could have been smug about getting the first patch for our machines that don't require terabytes of RAM or dim the lights as the monster graphics card powers-up...

    /gloat

    ...but then we can be so much MORE smug that we probably don't need a patch in the first place - Umbongo rocks! :)

    /ungloat

  17. Webster Phreaky
    Jobs Horns

    OS X WAS 1st ! OS X was 1st !! OS X WAS 1st !! Bwah ha ha ha ha ha ....

    NOT Vista, NOT Linux .... BUT Security Swiss Cheese OS X; and WHAT'S THIS!!?? ... The new release of SaCrapy Safari is ALSO FULL OF SECURITY HOLES, like THAT was a big shock!!

    Apple, YOU suck!

    OS X, YOU suck!

    Mac's SUCK!

    AppleTard FUDs, you are stupid and the first three prove it.!

    Linux WINS!!!

  18. Pierre
    Jobs Horns

    @ toxic monkey

    "I doubt equal time was spent on the Linux hack as it's much more sexy to hit the big guys" yeah sure. Given the very low number of Linux-based middle-sized server with tons of juicey info on them, as compared to the humongous number of win-based servers (not to mention apple-based servers. Bwahahahaha), the results clearly reflect a tendency to hit the big guys first. Or not?

    I know that we're talking about desktop versions here, but the OS is the same. If it was about "gig guys", the Linux one would have been pwned on the first day (only OS vulns allowed). "I doubt equal time was spent on the Linux hack as it's much more sexy to hit the big guys". May I laugh again? Plus, the Vista hacker reportedly spent 4 hrs going back and forth across the Vista and Ubuntu machines, the Vista one just proved to be easier to hack into.

    No "it's Adobe fault" either. The penguin had flash installed too. Just a bit more safely.

    Now, you all M$ fanbois are right: the fact that you're paranoid doesn't mean that they're not after you ;)

    At least we must recognise one thing: most of you KNOW that your OS (and the way it allows third-party components to take control) is vulnerable, so MOST of you are careful. The problem is with the unwashed masses being sold an unsecure OS while being told they have nothing to fear ("beware, as the pre-installed software is a malware magnet" is nowhere near a good selling line). Botnets take advantage of that. But be patient: if S. Jobs minions fail to awaken in time, given the growing market share of the elves-powered shiney machines, Mac botnets might well replace Win-botnets in the infamous pantheon of major annoyances (rootkitted Linux servers already got their share, thank you.). When was the last time you met a Mac user understanding the need for low-privilege user accounts?

  19. Anonymous Coward
    Linux

    Are you reading this Reg hacks?

    Ubuntu - a FREE OS - won. So less of the bloody freetard pejoratives thank you very much. Stick to what you're good at - proper investigative stuff like the excellent work you've done so far on exposing Phorm.

  20. Anonymous Coward
    Coat

    Known but not fixed

    In fear of starting a whole security debate, if they are only allowed to find unknown exploits, from the 3 systems, what are the numbers for known but unpatched / fixed?

    Where's the option for both gates and jobs devil icons?

    Mines got 'and they even had the code' on the back

  21. Ned Ludd

    @ Pierre

    "It was about time for apple-eaters to wake up"

    We're not all complete idiots you know... *anyone* who thinks their computer is invulnerable to attack is an ass, no matter what OS they're using.

  22. Anonymous Coward
    Boffin

    Technically, how does this work?

    If he succeeds to headcrab the flash renderer, how does he compromise anything from that point? If the renderer was not running as root or Admin, nothing seriously serious should happen. Or is the idea that he gets to have a non-administrative shell from where further attacks can be tested?

    Inquiring minds want to know.

  23. Anonymous Coward
    Anonymous Coward

    Oh dear oh dear :)

    Just another example to add to my anti-Mac pile of points of things like Mag-safe fire hazard power adapters, Easily scratched iPod nano screens, discolouring macbooks, iTunes apalling UI, Safari being the buggiest browser on the market etc.

    I really don't know why people still think Apple is in any way good, it's hardware is feature lacking and low quality despite having a high price tag, it's software is buggy, annoying to use and extremely insecure.

    To this day I just don't understand why Apple does so well when it's in fact so crap, it's not like Apple hardware isn't made in a cheap sweatshop in China either, it's low quality tat, plain and simple. Stories like this just prove it further and further day by day yet the zealots persist.

    Oh how I laugh at them. Heh. Hehehehe. Hehe. Hahahahahaha. Ahahahah. BWAHAHAHHAHAHAHAHAHA MAC OS X GOT OWNED FIRST.

  24. Anonymous Coward
    Anonymous Coward

    @ Brett about servers

    I fo one would be interested in bringing a beefy blade server and a couple tens of disks home. Unfortunately I fear I lack the hacking skills to win the prize. Anyway, this contest is already on, you know. Most people DO look at the "hacking history" of the systems before choosing the castle they'll put their data in (sod the beancounters, and the bosses comments about how his nephew's datacenter is good). People buying a laptop (or desktop, for that matter) for home use don't.

    Everyone knows that when it comes to security, nothing beats the "silver tower" approach anyway. If you're going for decentralised, externalised datacenters, expect your data to be stolen one day or another (no matter the datacenter, no matter the data transfer protocol. If it's worth, it'll be hacked. And you're not likely to be told anything by the contractor untill it's far too late. If ever.). If you're going for the in-house solution, you'd better hire (and correctly pay) good BOFHs.

    In all these "corporate-like" schemes, the danger is well known. Just make sure that your wizzards are good, pay attention to physical security, and you're relatively safe. Here we mostly talk about how easy it is to take control of a desktop machine, bought by Joe Bloggs at the nearest shop. Hacking these can seem pretty harmless for you. Joe Bloggs will be sorry, and that's all, right? Well, not quite. We're talking about how easy it is to recruit Joe Bloggs' computer into a botnet here. You might already know how these make mail filtering painfull, if you're coping with more than a small-to middle organization's mail system. Now imagine that these botnets are coming for you. All these compromised machines, plugged to the intertubes 24/7 for most of them, gazillions of operations per second, busy cracking your security measures. How long do you think your website can stand? A few hours maybe. If you're good. That's not a problem, as the PR droids can take care of that, but you'll still take some heat. Now imagine how long it would take to get into your local network, or to plant malicious code on your world-facing servers, or.... it might be a bit longer, depending on how secure you made these, but still, if it's plugged (and if it's worth the hassle), they'll manage, as long as the botnet has enough computing power. Now, don't you begin to care a bit more about Joe Blogg's machine? The less unsecure Joe Blogg's personnal gaming tool is, the more quietly IT people can sleep. Let's care about Joe Blogg's machine. A lot. Yay for the Pwn2Own contest (and for the old-style VX teams publishing proof-of-principle malware, too).

  25. RW
    Alert

    I think I'm obsessed and I know I'm confused

    I don't consider myself an MS basher, but lordy, lordy, they keep setting themselves up for...for...for...for "adverse comments". Yes, that's it, adverse comments. Definitely adverse comments!

    Something caught my eye in this news article:

    "new page protections added by Microsoft's security team [via SP1] prevented the exploit from properly executing."

    "Macaulay and Sotirov fashioned some javascript to circumvent the new measure, a feat that effectively allows them 'to render that protection ineffective'"

    So MS tinkers with page protection,which is presumably down in the depths of the kernel somewhere, and it's circumvented by JS, which is up in the user-app stratosphere. Does this strike anyone else as more than a little odd? That an interpreted, user-level script can suborn kernel functions in some way?

    Or does MS have its own usual strange interpretation (and implementation) of page protection?

    Help! I'm confused!

  26. Anonymous Coward
    Linux

    Ubuntu african word meaning

    so heavily modified it's barely recognizable. I wouldn't try to hack it I don't get what they have done to it. It's much easier to hack something thats not from outer space.

  27. Simpson

    Desire

    I must have been a "desireable machine", since they spent 4 hours on it.

    Apple software + security = quicktime

    The lesson here is that the Mac was the most coveted machine (2 minutes), then the vista box. I guess nobody wanted the buntu machine.

    P.S. When is the FCC chief going to look into the reason why women were not given "a fair opportunity to be winners" at the competition?

  28. Anonymous Coward
    Anonymous Coward

    So...

    Looks like Vista's fall was because of Adobe's problem and the exploit would have worked on the bitten Apple and smiley penguin. So...

  29. Anonymous Coward
    Anonymous Coward

    @Ned Ludd

    True, but the gloating from the Mac fanboys gets old. You never hear someone running Vista bragging about how they can leave their box outside the firewall and feel secure. MS users are humble, because they know their stuff is just as insecure as the next guy's. The Apple fanboys that can't stop bragging finally got what was coming to them: a real wake-up call. The rest of us who know better than to think any OS isn't vulnerable; well, today is a day of vindication.

  30. Faceless Man

    User security

    I'm just curious, did the Flash hack used on the Vista machine require any action by the user on the Vista machine?

    Yes, the user is an important part of the security system, and often the weakest link in the chain, but there is a substantial difference between getting someone to click on a link that opens a port on their computer without them knowing it, and being able to hack in without any interaction with the user.

    Of course, the Flash vulnerability may have worked equally well on all of the machines. It would be interesting to compare how long it would take to exploit the same vulnerability in each system from scratch.

  31. James Henstridge

    Re: Technically, how does this work?

    For a desktop system, most interesting processes are going to be running as a single user. If the attack allows them to run arbitrary code as the user, then they can delete all your files, copy all your files, install a keylogger, install an SMTP relay, etc.

    If they do need administrative access, they can now use local root exploits as well as remote root exploits (your OS vendor does consider local root exploits important, right?).

  32. Pierre
    Flame

    @AC (oh dear oh dear)

    I don't want to have anything to do with MacTards BUT I must recognise that Apple machines are shiney, generally well-designed (ergonomically-speaking. My PC keyboard sucks in comparison, I'm jealous of MacBook power adapter design -not to mention the adaptable "lenghtener". I know, length doesn't matter, but still). As for Safary being "the buggiest browser on the market", sounds like someone never used IE. And to be honest I wouldn't trust a browser which can also move my files around, or a file manager which can access the intarwub (Konqueror, anyone?). My laptop is a cheap "made in China" piece of crap (the pre-installed Vista isn't even able to cope with the keyboard correctly, and the wiring in the innards is so weird I spent ages mapping the ports correctly under Linux -ages being 1 or 2 hours, but still). I wouldn't describe Apple hardware as "low quality". because (let's be honest and dump the balanced point of view), if it was crap, the system wouldn't be able to run for more than 1 hr given how the software is working. Sure, MacBook's case gets awfully hot (company policy is that noisy things are bad, I guess. They prolly ditched the fan and crammed cooling elves in the box) but I wouldn't for sure challenge MY hardware with such loads as Apple hardware has to handle because of the "shiney" software. But I wouldn't run my full-fledged (read crippled) preinstalled Vista Premium on it either...

    A real pain in the neck is the non-removable battery. Sure, Apple's batteries are good (my lame 6-cells battery wouldn't last more than 1 year if I kept it in the laptop), but the fact is that I mainly keep the battery OUT, working with the fsking POS plugged in the wall, whenever possible. This way my battery is always available when I really need it. And it will be, for ages, I bet. Almost 2 years already, and I still have 2 to 3 hrs of spare power when I need it (Same as when I bought it. Told you it is a lame battery).

    Flame Apple for what they do wrong (Why do they tell everyone it's secure by default? Why can't I easily downgrade my privilege? Why, when I need to debug something, can't I, even if I've got enough privilege to compromise the machine anyway? Why the hell did they remove most usefull feats from the X11 server? Why the one-button mouse? Why is the touchpad config so lame? Why is there no easily-reached console mode anymore? Why is it so expensive? Why is it that when you're working on an Apple machine in an open space, random people feel free to disturb you with annoying small-talk on the ground that they own a mac themselves? ;-) ).

    Me, with a Mac? Guess Satan will be skiing before. But still, you have to flame people for what they do wrong, not randomly. Wait, is your automatic flamethrower controller running on Vista, by any chance?

  33. Pierre
    Unhappy

    @ confused RW

    That's the price of "user-friendlyness" combined with no proper privilege separation, I guess. I recently saw a malware-like app running on a (fully patched) Vista machine, which kept opening windows containing a 640x480 image as fast as the available memory and processor time allowed it to (roughly 20 windows per second when the system was idle), each one being a single instance of the originatin program (no "kill app" trick allowed). Stupid luser had installed a (seemingly legit) webcam-monitoring app designed for W2K (work-related, mind you. The controller for a microscope-compatible CMOS captor with an USB interface). Of course, as you can imagine, this crashed the system once ~300 frames were open (no matter how fast you can click -and he tried :-D- you cant close 20 windows per second). The system wasn't even able to shut down, as the spawning windows were eating all the CPU power and RAM. Now how come the system gave priority to such processes over the system-critical processes? How come that loging in the machine with another account (my own admin account) didn't help? All along the problem-fixing process, I had to close groups of windows before they reached the critical machine-crashing number... even if the "malicious" process was started under his (relatively low privileged) account. As Super Mighty Admin, I couldn't even remove the responsible *.exe file (that I identified quite fast, while still closing grouped windows every 5 seconds roughly). Because, as Vista told me, "you need authorization" to remove the file.

    I'm the bloody admin, dammit!

    Had to remove every user-installed app, one by one (while still right-clicking- group closing every 5 seconds or so, remember?) before reaching the guilty one (how could I guess, as it was the only work-related one?). Not bad as I removed a few things that had clearly nothing to do with work, but still. Spend a few painful hours on an issue that would have been fixed on a matter of seconds under Linux (or, more likely, an issue that would never have existed at all under Linux)

    I'll be investigating the loophole in my spare time next week, as if it can be reproduced, I might get me a free laptop + 5000$ next year...

  34. J
    Linux

    He...

    The Flash exploit would have worked on any machine? Does not sound likely, but who knows.

    Anyway, no Free Software was harmed in the making of this competition! Yay... Or better: yet...

    So, were are the retards who say that having the source code open makes software less secure? Is Safari open? (I think it's not, although based on some open source library?). Flash definitely is not. Both got owned.

  35. Anonymous Coward
    Linux

    Flashblock anyone ?

    Damn fool if your not running flashblock on FF anyway - cuts down on the crapverts and malware.

  36. frank denton
    Happy

    @Pierre re IP

    Pierre,

    I tried to hack your IP (127.0.0.1), was easy but it seems you have a copy of my hard drive on there. How did you get it????

  37. nutellajunkie
    Paris Hilton

    What about classic systems..

    You know I was wondering if anyone thought of other operating systems being secure and safe to use also.. Ones that I have used and loved have been safer and more secure than today's "modern" operating systems.

    How about the Acorn, RiscOS, its a bloody nippy wee system.

    BeOS, its still being worked upon, perhaps again its a nippy system.

    But the one I love and cherish the most in my heart is Amiga OS, now that's one sexy beast. I do know with personal experience it works very well as a server and client and has yet to be affected by insecurities nor has it been pwned ;) oh and boots in seconds (that's the best part).

    /shillings worth

  38. Uffe Seerup

    Just some basic facts

    IE on Vista by default runs under a low-privilege account. Basically all it can do is to access the web and write to a secluded cache on disk. It cannot read or write files anywhere else, not even from/to the logged on user who launched IE. This is called protected mode.

    Now, sometimes users need to download and save files and/or upload files (photos etc). To this end Vista uses a "broker process" (called ieuser.exe in the task manager), This broker process implements a few functions such as file saving and reading. The broker process talks to the plugins, which can request its services, but they cannot control it. Even if a plugin is vulnerable to an exploit and the entire IE process is pwned, it is still limited in what it can do by this design.

    Linux (Ubuntu) does not have anything akin to this. On the typical Linux Firefox executes under the logged-in users account. If FF gets pwned your userspace is owned and the process may delete/change/ftp your files away. I believe that the same is the case of OS/X.

    The Vista model is clearly more secure than running the browser under your own account.

    So how did this pwnage of Vista happen, you ask? Because Adobe in their wisdom decided that the standard broker process did not meet their needs. For some reason (documented in the flash "type library") the broker process can read/write/create/delete files and launch applications! (go figure). Such a broker process effectively circumvents *any* security precautions imposed by the protected mode. So, the *extra* security of IE does not help one iota when plugin developers are this stupid. When you do something like this you'd better A) absolutely limit the functionality implemented by the broker process and B) audit the living daylight out of that inherently risky code. I still cannot fathom why Flash should be able to launch applications.

    But fact remains that the same APIs exists in Flash on *all platforms*. On Vista it does sits outside the plugin (to break out of the sandbox).

    That is why the winner of the Vista machine was confident that he could have used it on Ubuntu or OS/X as well. It was a Flash vuln. Cross platform. He didn't gain admin rights; he just got to execute a process as the logged-on user. All the platforms are vulnerable to this.

    But the same API is available.

    BTW, the "broker process" on vista is called "Flash Helper" in the task manager. That's accurate, I suppose. It just leaves out that the ones it is helping are the blackhats.

  39. SpitefulGOD
    Gates Halo

    @Martin Owens

    Make money how?

  40. stizzleswick

    @J

    "Is Safari open?"

    It's based on Webkit, same as Konqueror, but Apple has glued a bucketful of proprietary code on to it. My guess would be that the problem lies with the closed-source bits.

    *shrug* I'm using FF anyway, if only to have the same browser on all my systems. Good to hear it also makes my Mac a little safer.

    And for those baiting the Apple users, go surfing with MS Internet Exploder and MS' standard "security" settings. But I suggest you make a full backup first.

  41. David Webb
    Gates Halo

    @ Pierre re: malware

    Simple solution, reboot the computer, insert Vista install DVD, boot recovery and then fire up the console, open terminal window, CD to the directory where the malware is, delete.

    The terminal on the install disc is not subject to UAC and is logged in as administrator by default. Spending hours trying to solve a problem then blaming the OS when the issue could be solved in seconds is kind of silly.

    Heck, you could even boot up a Linux live CD, mount the NTFS drive with read/write and delete it that way, you just went around the problem with the wrong solution.

    Back on topic. The Ubuntu system was always going to win this, but it is nice to see MS (please, M$? it wasn't funny 10 years ago, it isn't funny now) taking a better stance at security, if only the 3rd party vendors would actually do the same. If the vuln in Flash didn't exist, then we would have Vista and Ubuntu remaining standing, a feat which would have been unheard of with XP.

    Give it another decade or so, and maybe Linux will be ready to compete with Windows on the desktop, or, the most likely result, Apple's OS will start to get a pretty decent market share, then the EU will step in and force them to remove TPM, so PC users will be able to wonder why such a poor excuse for an OS is actually "popular".

  42. Anonymous Coward
    Heart

    kernel changes

    good to see no system fell on first day surely that means mac ,vista and ubongo will be free from any kernel exploits in 2008/2009 blissful elysium aahhh days lie ahead :)

  43. Olivier
    Thumb Down

    Hacker went for value

    All this shows is that hackers wanted to come home with the most valuable laptops:

    First the mac book, then the vista, and the hell with the linux thingy ( even if it is the same hardware, the Vista one comes with.. Vista! )

    Note that the flash exploit is not exactly a windows vulnerability ( nor is it directly a linux or a mac vulnerability ).

    For the security-challenged guys who think only root access is a security threat, just consider that the latest vulns in firefox where enough for a hacker to steal your credit card information, send spam and drive ddos attacks from your computer..

  44. Uffe Seerup
    Thumb Up

    @Olivier "Hacker went for value"

    There was a price of $20,000 on day one, $10,000 on day two and $5,000 on day three in *addition* to the laptop. That's And the prices for the remaining laptops were still offered, and contestants did make attempts at pwning the remaining laptops on both day 2 and 3. The contest continued after the Macbook AIR was pwned.

    According to the hacker who took the Vista using a Flash vuln, he could have brought down any of the others using the same vuln; with a few hours tweaking.

  45. Pierre

    @ David Webb

    ~1/2 h to reboot the computer from the luser's session (finally had to unplug it as even the logical shutdown button didn't respond). ~1/2 to login, see that my admin account is affected, identify the problem and find out I can't remove it then presumably ~1/2h to find the bloody DVD (either Vista or Knoppix), reboot the computer and remove the stuff -if I am allowed to, that is. How can that be made "in seconds"?

    Under Linux, (even if the problem couldn't probably happen at all, but let's assume it did anyway) I would have shut the X server down, logged in as root in a console, found and fixed the problem. 1/4 hr at most, no need to even log the luser off. I could probably even have started an X session and fixed the problem from there if I had wanted to, whithout being bothered by the rogue prog.

    And this was caused by a "legit" piece of crappy software that was only doing its job, just "a bit too well" because the luser probably just forgot to install it in "2000/XP compat" mode. Imagine what a really agressive malware based on the same loophole could do.

    Anyway, the very fact that this happened in the first place is the real problem. Lame user separation, lame privilege separation, lame admin tools by default.

    That's why whatever buggy plugin you install, the penguin will almost always be harder to totally pwn than the MS. The holes in Flash is Adobe's fault. The fact that the OS lets these be a gaping security problem is the OS's fault.

  46. Anonymous Coward
    Thumb Up

    @Just some basic facts

    Ah, nice explanation there. Thanks.

  47. antonio
    Linux

    so what?

    OSX didn't get hacked. Neither linux nor Vista. So, depending on how smart were the hackers, they are all three reasonably safe.

    Although I respect linux and the community that is working hard to give everybody a free, reliable and secure OS, the safari vulnerability will not make me switch to it. It would be useful that more people took a look at the Apple APIs, (core graphics, core image, core animation, core data, etc) and the Quartz compositor, the window manager; many of them would agree that they are 10 years ahead of anything else.

    The penguin because Linux is really a pain in the arse for MS

  48. Jeremy Shannon

    And the fox leaped again, and missed again..

    I smell the distinct scent of sour grapes in that guy's comment. "I could have broken Ubuntu, too." So how come it's still not broken after hours of trying, hmmm?

  49. Anonymous Coward
    Happy

    I am sorry......

    but what idiot lets there computer outside of a firewall. you deserver all you get if you do that.

    Morons.

    Would you park your car in a crime hot spot with the keys in it?

    Still going to by a Mac though :D

    I do have one question about the event: On the windows box, on teh frist day, were you allowed to hack IE and media palyer? I really think you should, as MS considers them part of the OS (remember the lil fight with the EU over that), or has MS changed its mind???

    Nice too see the Linux box still standing :D

  50. David Webb

    @ Pierre

    If its a driver issue, hit the reset button, boot into safe mode which doesn't load any drivers except fail safe drivers, uninstall application, you are just making a huge issue out of a minor detail.

    Heck you could boot up in safe mode then use system restore to restore the system to a point before the driver was installed.

    Yes on Linux you can ctrl+alt+backspace to shut down X (unless something like KDM is running in which case you first need to open a terminal window then kill the kdm process), but Windows has a similar function, open a cmd prompt, gain focus then Alt+Enter for full screen terminal. You just went the difficult route for a simple solution.

  51. Kwac

    M$ fanboys

    fail to have noticed the sentence about spending the day between Visa & Ubuntu attempting to get the exploit working - but only managed on one.

    I agree, 'M$' instead of 'MS' isn't funny, never has been, never will be. Its just plain honest.

  52. Pierre

    @David

    Not a driver problem. It was a problem with the acquisition app that came with it. And try to gain focus long enough to type anything while the crazy box is opening 20 windows a second. Good luck. As for the system restore and all that, I had no idea about when the thing was installed.

    As for the full-screen terminal, I always thought it was just hiding the (still running) graphic server? Never checked though. But in that case, it wouldn't have helped, as in less than 10 secs the machine would have been unusable anyway.

    BTW, I seem to remember that when you kill it a couple of times in a row, KDM (or GDM or whatever) shuts down. Not sure though, as startx is good enough for me.

    And I agree that it wasn't a huge problem, more like an irritating thing (On a Friday afternoon!). Anyway there's something wrong if this is allowed to happen. Cross-session. On the Admin account too.

  53. The Mighty Spang
    Gates Halo

    @nutellajunkie

    bah only one decent OS ever - VAX/VMS. Lovely command line where you didn't need to memorize random sets of consonants to get things done.

    I have fond memories of my first VAXCluster, every machine named after a character from the Lord of the Rings, natch.

    I also remember the slight issue on 4.x systems where as an operator I could send a notification to my mates containing control codes, allowing me to reset their terminals at will bwahhhahahahah

  54. marc

    All versions of flash?

    It mentions the Flash exploit may work on different operating systems, will that include the open source plugins for Flash Player, or just Adobe's?

  55. Patrick
    Linux

    Thank god I removed Windows and Installed Ubuntu on my Dell laptop.

    Now I feel justified in my decision to remove the big MS bloatware OS from my Dell and put on Ubuntu as the sole OS last year.

    Now I also feel nice installing Flashblock, NoScript, AdBlocker Pro into my Safari and never installing any Adobe Flash/Shockwave software ever when web pages nag and refuse to work.--- I simply never visit those web sites again.

  56. Rolf Howarth
    Go

    @stizzleswick etc.

    As details of the CanSecWest exploit come out it seems it was due to a bug in the open source PCRE regular expression library which was found by someone carefully scrutinising the source. You could argue that had it been in closed source it would have been harder to find :-)

    This whole competition thing is all a bit silly though. I don't think anyone claims that ANY operating system or piece of software can ever be absolutely secure, in and of itself. The real question is how quickly vendors issue patches once a vulnerability comes to light - and how many undisclosed vulnerabilities are there out there that people are busy maliciously exploiting.

    When people claim Mac OS X is more "secure" than Windows that's not an absolute claim about theoretical security (as we've seen, any piece of software can and often does have bugs that lead to security vulnerabilities) but a simple empirical observation. There are literally millions of owned servers and home machines out there in huge bot farms sending out spam emails and hosting phishing sites. Currently the percentage of them running Mac OS X is approximately zero. Could this change? Certainly. Anyone would be a fool to claim otherwise but that is the current situation, as it is now. 0%.

    Security has to be measured relative to the threat. An analogy might be a marine patrolling the streets of Baghdad. He may well be wearing body armour and be armed to the teeth but how much safer is he than you walking down your own street in nothing more than shorts and a tee shirt?

    I don't know about you but I know where I'd rather be. Sure, I might be mugged tomorrow, but so what? I take sensible precautions, like not wearing flashy jewelry or looking too much like a victim, but really, life's too short to spend it worrying. I'd rather live a little and enjoy life. If that makes me a complacent fool or a smug git, so be it.

  57. Sceptical Bastard

    Crowing premature for Ubuntards

    As an Umbongo user myself, I'm wary of getting into a fanboy frenzy over this result.

    I think the real lessons are to beware sloppily written proprietary apps (in this case Flash) and that no OS is 'secure' if lusers don't patch, harden and exercise caution and commonsense.

    Still can't help a thinly veiled smirk, though ;)

  58. Anonymous Coward
    Linux

    Con-currency

    David Webb wrote:

    "please, M$? it wasn't funny 10 years ago, it isn't funny now"

    He's right. People should stop already with the hopelessly contrived nicknames and just stick with Mi€ro$oft.

  59. David Webb
    Gates Halo

    @ Pierre

    Yep, full screen DOS window is just the same as a normal windows DOS window, everything is running in the background. You can however in that window bring up a list of running tasks with 'tasklist' which lists all running tasks and their pid, then 'taskkill /PID [pid number] /F' that will force the task to die, the same as the Linux pidoff and kill commands.

    So if the badly running app was called "badapp" with a pid of 123, it would be taskkill /PID 123 /F which *should* kill and force the death of the badly running application, you can also use /T to kill and child processes started by the poorly running application. It does what task manager does, only in DOS.

    @ the M$ comment by Kwak, quite true, MS are a very profitable company, and I'm sure you give away, as a percentage, as much money to charity as Bill Gates does every year, yes? No?

  60. Matty B
    Flame

    @ Pierre

    'African word meaning "tougher than you"' ...what?

    I always thought it was the African word meaning "I can't use a real Linux distro".

  61. Ronny Cook
    Pirate

    Macromedia

    Perhaps the lesson we should be taking from this is that third parties have less interest in the security of the OS than the OS vendors.

    The fault was in Macromedia Flash. You know, Macromedia, who dominate the copy protection market. The ones who sell Dreamweaver, which is cused for coding a lot of the web scripts running on the 'Net.

    I'm left wondering if there's a way I can pwn a system by subverting the Macrovision copy protection checks.

  62. Pierre
    Gates Horns

    @ David

    You still fail to understand. As I said, every window was a separate process (and i have no idea on which app triggered the *.exe in the first place. It was maybe even not running anymore). Killing one wouldn't have be more usefull that just closing the window in the graphical environment (I tried, mind you, using the task manager). Your solution wouldn't have worked at all as they would have still been spawning "in the background", crashing the machine in ~10 sec. Not to mention that the DOS-like console couldn't have been opened anyway, as I wouldn't have been able to keep the focus long enough to open it (even scrolling down a window was a real pain). Don't try to justify Windows' lame management of separate users or process privilege, and lack of decent administration tools.

    There was no easy solution given these flaws, unlike under any *NIX-like OS. Right I could have saved 1/2 hr by using an external booting medium to remove the *.exe file, but I would have had to uninstall the apps anyway, so I would have had to spend this time no matter what, even if later.

    The fact is that this happened because the OS is badly thought. And it puts in light a major (major, like MAJOR) flaw in the system. This time, no consequences but if the rogue app hadn't been an utterly harmless legit one, it could have been very bad.

  63. Pierre

    @ Matty (Tough Buntu)

    "I always thought it was the African word meaning "I can't use a real Linux distro"."

    Wrong. Ubuntu is an African word meaning "Too lazy to install Debian". Same meaning for "Red Hat" (and derivatives), "Suse", etc ... "Debian", in turn, means "More shiney than Slackware". And Slackware mean "I'm too old to use Ubuntu".

  64. WT

    Are you guys all dumb or what?

    or maybe it is that you haven't yet learned to read English ... The one line in this article which everybody so conveniently ignores is the one which renders all of you attention deficit sufferers' interpretations a la "x won, y is bad, z was worst" invalid, it is at the end of the article ...

    "... Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux."

    that's the only line which really matters in the entire article. But you will sure continue to kid yourselves because you only read what you want to read.

    The truth is though that no system will stand up to a determined attacker, thus there are only losers, no winners.

  65. Andy
    Paris Hilton

    @Pierre:@matty (Tough Buntu)

    I use Slackware 12, I am not too old to use Ubuntu. I choose to use Slackware, it is my choice of distro. That's the good thing about Linux - choice. I did use Kbuntu, but it was not to my liking. I have heard Slackware described as the hardmans Linux.

    I have also used SuSE (7.1, 8.1, 9.1 and 10.0, then ditched it, too bloated), mandrake (a long time ago), Gentoo (v fast performance, you learn a fair bit about Linux when installing it), Fedora (didn't stay on disk for long). And I still have my original Slackware CD's from '96 and '98. I remember compiling the kernel from source and editing a script to get my modem working.

    And, yes I have used windows, various versions. Still do, at work. Have to.

    Slackware should mean "for those who aren't afraid (to get their hands dirty)".

    Paris - she probably gets dirty whenever she wants to.

  66. Andy Worth

    Re:More's the pity

    "Although useful in raising security awareness in general and, more specifically, demonstrating that most systems can still be hacked even when fully patched, the contest doesn't show the aggregate risk of each OS/application suite. I'd wager that Mac OS X still presents lower exposure overall than Vista SP1, all things considered."

    Uh and how did you come to that decision exactly, seen as you didn't appear to mention the "things" that you considered to come to your conclusion? To be honest, that sounds like that sort of line that I feed a manager to leave them confused enough not to argue, without actually stating any facts.

    Oh and @ Ronny Cook - don't Adobe own Flash now rather than Macromedia?

  67. Anonymous Coward
    Coat

    VMS

    The best ... and not tested .

  68. TeeCee Gold badge
    Joke

    @Andy Worth

    Yup, Adobe own Flash. You see, there was this vulnerability that allowed them to completely take over..............

  69. Simon Lacey

    Flash

    "As of today, since the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope beyond just default installed applications on those laptops; any popular 3rd party application (as deemed "popular" by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise."

    "7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash."

    I appreciate it's a popular plugin, but I can't help feeling it's a little unfair to blame an OS for the lack of security in a third party application that wasn't installed by default.

    And @Andy Worth, Adobe acquired Macromedia 3 years ago.

  70. Neil

    Unhackable but unusable.

    They should have a competition to see if anyone can write any decent desktop software. Nobody ever mentions that there's bugger all you can actually do with a Linux desktop.

  71. Dr. Mouse
    Linux

    Sorry, have to add

    Gotta add my own "Ner Ner Linux is the the best" :P

    On a serious note, the old addage comes to mind: The only security measure which works is a 6-inch air gap (although I guess with the advent of wireless this is not strictly true... 6-inches of lead maybe?)

    I would love to see a server version of this. Servers should not have flashy things (like flash :D or java) installed, but most Windows servers I have seen do. Would be nice to see a well set up version of each server OS (Linux/Windows/Solaris/FreeBSD...) made available for a Pwn2Own.

  72. Richard Williams
    Paris Hilton

    How secure is your OS?

    It seems very much from these results that this is no longer the problem... As usual, fingers are pointed and normally falls to the OS manufacturer... It's like saying it's Microsoft's fault if a piece of hardware doesn't install properly...

    The fact that both these exploits managed to utilise bolt-on software and that no-one bothered to try and hack the base OS on the first day is surely a wake-up call? All this mud-slinging about which OS is less secure is dried-up in the face of this?

    Paris, because I can't pick on any of the OS Mugshots in particular and because the majority of people are as clueless as her to hacking PCs, myself included. I just spend my life being paid to secure the systems I support... hmm... Roll on vulnerabilities!!!!!

  73. Ivan Headache

    @Oh dear oh dear :) AC

    "To this day I just don't understand why Apple does so well when it's in fact so crap, it's not like Apple hardware isn't made in a cheap sweatshop in China either, it's low quality tat, plain and simple. Stories like this just prove it further and further day by day yet the zealots persist.

    Oh how I laugh at them. Heh. Hehehehe. Hehe. Hahahahahaha. Ahahahah. BWAHAHAHHAHAHAHAHAHA MAC OS X GOT OWNED FIRST."

    To this day I don't understand why windows zealots do not read the article before posting such rubbish.

  74. Webster Phreaky
    Jobs Halo

    Exploits

    So, both the Mac and Windows machines were exploited by components not made by the OS manufacturer...

    Webkit (the open-source browser engine) was the culprit in the Mac's case, and Adobe's Flash in Windows case.

    As both Webkit and Flash are available for all three platforms no doubt with a little jiggery-pokery both exploits would work on all three platforms.

    Clearly the Mac was targetted first because the prize was the most desirable and valuable - not just the MacBook Air, but the headlines it generated.

    Who would really want to win a Windows or Linux machine?

  75. stizzleswick
    Coat

    Re: Macromedia

    I think they're called "Adobe Systems" these days...

    Re: Con-Currency: You probably meant "Mi€ro$o£t"...

    Mine's the tuxedo jacket...

  76. Anonymous Coward
    Stop

    Mac First

    Err... didn't the guy who hacked the Mac admit that he tried it first? Kinda makes sense he didn't hack the other two first when he wasn't on them!!

    The only real even test would be the same person hacking the same machines and telling us how many actual hours of hacking it took. whole things a load of balls.

  77. Adam Foxton

    @Neil

    There's not bugger all to do with Linux desktops at all- you can use them for anything office-related, anything programming related, media manipulation software is getting better and more prevalent, and even gaming isn't impossible- loads of games are released for Linux (UT3 was a recent favourite), and those that aren't can frequently be played through Cedega or WINE. Even Stereoscopic gaming is- IIRC- possible now under Linux.

    In fact given the software that's bundled with many Linux distros- especially Ubuntu from this article- you can do more with a Linux out-of-the-box install than a Windows out-of-the-box install (almost-Photoshop-grade graphics manipulation, full office suite, etc.)

    Right, I'm off to play UT3 on my lovely Gentoo installation.

  78. Anne van der Bom

    @Dr. Mouse: no Java?

    "Servers should not have flashy things (like flash :D or java) installed"

    No Java on servers? Where did you get that twisete idea?

  79. Paul Buxton
    Paris Hilton

    @Stizzleswick

    "And for those baiting the Apple users, go surfing with MS Internet Exploder and MS' standard "security" settings. But I suggest you make a full backup first."

    I've spent the last 8 weeks using nothing other than Windows Firewall and Windows Defender to secure my system (i.e. the standard security settings). I got a little paranoid over the weekend (this competition had a little to do with that) and reinstalled Norton Internet Suite again. Patched it up and ran a full system scan and...

    I had been infected! OMG!!!!!

    One tracking cookie was identified as being suspicious. Norton recommended taking no action.

    Now don't get me wrong, during the time I was using purely Vista for security with no other 3rd Party apps I would not have wanted to let anybody know what I was doing and certainly wouldn't have published my IP to let people try to hack my box, however, that's not changed since I reinstalled Norton.

    No backup was necessary. My data hasn't been compromised. It's all good.

    So Stizzleswick, your point seemed to be that Vista *with the standard security settings* was less secure than OSX (with no mention of standard security settings). In this test will OSX be using the standard security settings too (or would you prefer to turn the firewall on first)?

    So, as I've already gone "surfing with MS Internet Exploder and MS' standard "security" settings" with no ill effects I claim my prize of being allowed to bait Apple users as often as I like for all eternity!

    Deal with it!

    (and LMFAO)

    Paris because she's so used to having her box compromised.

  80. David Webb
    Jobs Horns

    @ Pierre

    I'll happily admit there are some failings within the Windows environment, one which you pointed out, that 3rd party applications can and do cause annoying issues. Linux does lots of things, especially application managment, much better than Windows does, and is inherently more secure.

    However, a failing in both Linux and Windows is the same issue you highlighted, installing software that is incompatible that will crash the system. Some Linux app's require sudo to install properly which elevates their rights, sure on Linux you may be able to log in and fix the issues, or even telnet in and fix the issues, but both systems can be prone to such 3rd party foibles.

    Mac's just suck, can we at least agree on that? :P

  81. Anonymous Coward
    Coat

    Mac

    Sure if fell first... but that UI sure looks nice!

  82. andy gibson
    Coat

    Biased hacking?

    Call me a cynic, but I'd imagine that the people hacking would *want* the open source version to win, so maybe they were deliberately manipulating the contest so their preferred choice won?

  83. Jared Earle
    Alert

    How long ...

    How long before people use this as 'proof' there are Mac Viruses?

  84. John Larrigan

    @ Pierre

    Hi Pierre,

    I had something similar on a friend's vista machine (not the 20 windows a second problem, but the administrator rights one) What I ended up doing was opening the Windows explorer tool by right clicking on it in the start menu and choosing "run as" and entering the admin details (even after logging in as the admin).

    How about trying that and deleting the EXE from the system so that it doesn't start after the next reboot?

  85. Jamie
    Linux

    The first statement is the most correct

    The weakest point to a machine is the user, then the OS, then the other software.

    Problem with the OS part though is that some OSs have too much built in so a little glitch in one part can put everything else at risk. The priimary reason why I dislike MS.

  86. Jon Cutting
    Stop

    @ Biased hacking

    "Call me a cynic, but I'd imagine that the people hacking would *want* the open source version to win"

    I can think of other more fitting monikers. This argument is pretty lame IMHO. Firstly it assumes the hackers were largely open source admirers, it then moves forward to suggesting that their individual love was stronger than the lure of a $20,000 prize, and finishes by believing that each trusted the others to altruistically not hack the open source box either. The same open source box that has all the code available for the world to inspect for months in advance.

  87. Nick Ryan
    Stop

    @ Release time - Remy Redert

    "Well, do not underestimate Microsoft and Apple. I'm fairly certain that if they REALLY want to, they could release a patch within a couple of days."

    Unfortunately if they did attempt to release a patch within a couple of days, it'd almost certainly break things. The reason is simple - these operating systems are so convoluted and interlinked and the source so badly written and badly controlled that a seemingly trivial and insignificant change in one place can take down the entire system in another.

    MS tried this kind of rapid release fix at one point but gave up as they don't have the resources to test even the smallest of fixes that quickly. Apple just never bothered trying to do anything fast at all - but then that's probably based on seeing MS try, fail and get away with a much longer patch cycle.

  88. Jon Brindley
    Flame

    Interesting Comments

    Two comments apparently made by Webster Phreaky .. and both are completely contrasting. I've only been reading the comments about Pwn2Own for Webster's, frankly genius*, remarks.

    I'm now starting to wonder if he has multiple personalities or something .. each one a fanboi of each platform.

    * For a given value of genius, of course. And that value is 'i'.

  89. Anonymous Coward
    IT Angle

    But seriously...

    Where's the IT content?

  90. J
    Alien

    @Unhackable but unusable.

    Nice try, troll. Now, back to your cave, mommy is calling.

    @Webster

    Are you going bipolar? :-)

    @Just some basic facts

    Thanks for the explanation.

    @Are you guys all dumb or what?

    And you just believe the guy? Or you knew he was right, but so what? What's wrong with some discussion to enlighten we mere mortals who'd rather know whether there is merit to what the guy affirmed and the article (and you) promptly accepted, for whatever reason? (prior knowledge or otherwise)

  91. Uffe Seerup

    Re: Release Time

    "Well, do not underestimate Microsoft and Apple. I'm fairly certain that if they REALLY want to, they could release a patch within a couple of days."

    I don't know about Apple, but Microsoft cannot do it because it is NOT Microsofts fault. It was Flash (made by *Adobe*) that was exploited.

    And before you jump the "FF/Ubuntu would protect better" bandwagon, that is NOT the case. In FF plugins (like Flash) executes in the FF process, which started by you and which has all of your privileges. A Flash vuln. on Linux is just as devastating as on Windows.

    In fact, if it were not for the stupidity of Adobe - who actively circumvented the extra layer of security of Vista+IE7 - the opposite would have been true. FF+Ubuntu would have been vulnerable, Vista+IE7 would not.

  92. Rob Dobs
    Gates Horns

    The Nitty Gritty

    $ and prestige (AKA $ by reputation) was main reason these researchers were involved. Enough already with the ignorant "they did because of this laptop" - all involved would have loved to have hacked all 3 boxes. And even the Day 3 CASH prizes are enough to buy 2 of any of the laptops.

    What many are not focusing on is that the contest did NOT allow KNOWN exploits. This is a very skewed contest, narrows it down to just "who can find a new exploit quickest" or "what researcher is sitting on a security vulnerability". Not by ANY means a contest to see which laptop is more secure.

    Also it is a very different question to ask "which laptop as configured by the manufacturer is the most secure?" and "Which operating system can reasonably be locked down the most secure, by the majority of users?"

    Not saying that either is a better questions, just very different.

    I think with known exploits not being allowed, it is very safe to assume that if they had allowed them, ALL 3 laptops would have fallen over in a matter of minutes.

    Consider this too - you have a vulnerability, or virus that is currently undetectible.... If you are a hacker this data is much more valuable to you being sold as a hacker service on the black market (and not sharing your trade secrets) why would give up your magic key to everyone else, or worse to have corrected and no longer useable? Only security researchers are really interested in the fix being in place. Hackers are more prone to avoid this type of FBI infested venue and keep thier evil little secrets to themselves.

    oh and M$ = Funny and appropriate. It is apt because everyone knows exactly what company is being discusssed and why.

    M$ as a corporation have shown an unethical (and often illegal) business model of money over morals time and time again (anyone follow the DOJ trial here on el Reg? - M$ behaved dispicably).

    And in regards to the charity donations, yes many people have given a larger % portion of their income than Bill. You also have to ask yourself the "why?" about this one as well. I have ready too many stories about 3rd world countries getting offered malaria and other disease assistance from the M$ (Bill&Melinda) charity - if and ONLY IF their government signs on to use M$ as their official government operating system. It appears to be being used as a sales cudgel to beat people with. I have also heard reference that the M$ charity at one point was making more money on the interest of their holdings (tax free mind you) than it was actually giving out.

    And finally - he's just trying to buy popularity. I don't think there is a more hated person in the world (outside the BinLaden/Bush/Cheney circle of hate) it would not suprise me if Bill had to pay his dues so to speak before even his rich chronies would let him come "play" on their playground. And I'm sure his marketing deparment is aware that his negative personality was probably at one point on of the biggest hurdles for M$ marketing to overcome. What better way that to try and turn him into a likeable person. He could have spent the same amount of money buying favor in a lot of ways. I hope that some good does end up coming of it, but I am still waiting for the acutal donations to be spent in a good and unbiased manner. Even more scary is buffet seems to trust him to use his money as leverage as well......shessh!

  93. Timo
    Coat

    @ Neil

    I second that - Maybe there's nothing to hack on Linux, because there isn't anything to run on it? Much safer if all it does is shut all ports in and out and sit there humming along.

    That said I do run Slack at home for my DIY crunching tasks. Everything still seems to be DIY of some sort which may have the side afffect of helping to obfuscate the OS and security holes to automated attacks.

    Mine's the 1970's leisure suit with the breath mints and the pocket lint that never goes away.

  94. Jeremy Shannon
    Dead Vulture

    To various

    @Are you all dumb?:

    Yeah, he *said* he could hack it but why didn't he do so, even after hours of trying? What, did he just decide he'd rather not for some reason? "Oh, a free laptop and $5,000 is great, but TWO free laptops and $10,000? No way, I don't want people to think I'm gay or something!" Sure. That'd make sense.

    @David Webb:

    No, virtually all Linux apps require sudo to install (unless you're installing for one user, in his home folder) and it does not elevate their privileges when run. Only apps which require setuid (deprecated and dangerous) or sudo (much more secure) are run with higher rights than the calling user.

    Now, running some binary blob self-installer with sudo is dangerous, but it's a rare occurrence -- normally you install apps with apt-get or dpkg, then the apps run as yourself, not root or anything.

    @everyone saying "It's all Adobe's fault!"

    It's partly Adobe and partly Microsoft's fault, if you actually read the article. The vulnerability in Flash alone didn't allow him to do anything on Vista SP1. (It allowed him to execute arbitrary code under the retail Vista, but the new IE security measures stopped that.) To get code running with elevated privileges now required him to work out a Javascript hack that allowed him to disable the new Vista SP1 security, a secondary vulnerability that should not have been possible, had Vista been as secure as it's supposed to be.

    He was trying to do something similar on Linux, believing it possible, but failed to do so. This is why us Linux people are chuckling.

    (Beating a dead vulture.)

  95. Pierre
    Heart

    @John Larrigan and David (and John "old timer" Larrigan)

    Should have worked allright. If the "run as" box vever goes out of focus. Lame that you have to do that even when you are logged in as root, huh?

    And the major concern, for me, wasn't not to be allowed to suppress the file (just a minor annoyance), but the fact that an app launched by an unprivileged user could go mad on EVERY user account. And even after a shutdown. I believe that it's because the privilege of a process in Win is given by the app itself, not by the rights of the user who launches it. Which is very bad. The only control is what the interface allows you to ask the app for, but if you find a way to feed an unlawfull command to the application, there's no way to stop it.

    Ho, and yes, macs are annoying, too. I hate it when the computer prevents me from actually using it. (but MS seems to be catching up on this ground, as by default in Vista you have to click, on average, on 34.76 "yes" or "OK" boxes before the fsking thing actually does what you asked.) There are also a couple of things that I don't like about my Linux distro, but that's confidential.

    Which leads me to John's comment... I'm not using Ubuntu. I despise this lame sub-Debian too much. Ubuntu has ONE quality: it is so "F(r)iend(l)ish" that it can be a good half-step in the migration from Windows to Linux. I would probably run Slackware if I was an old-timer (and if I liked to meet unexpected dependancy problems), but I like shiney things too much...Debian it is then. The HUGE collection of precompiled binaries also helped. I am not patient enough to recompile all the stuff (Gentoo, anyone?) and when I need specific compile-time options, well, I grab the code. I tried Ubuntu (just to know, never even bothered to install it), most of major Red Hat derivatives, SuSe, Slack, OS/2 (don't laugh), both major free BSDs, various Wins, Apple, BlueBottle (you know, written in Oberon -this one was a good laugh, try it if you can!), and even the HURD for a few weeks. Debian is just what floats my boat best so far (just had to take care not to install all the graphic bloatware that it will install if you say you want a "desktop environment -yes, the desktop is Gnome by default. Kills me. Why the heck? AARRRHH. I said it, I feel better now). Didn't try Gentoo though. Maybe I'm missing something here.

    ANYway, Peach and Loze, Make FAP not warez, and all that stuff.

    and, Debian soooo totally, mean, rulez.

  96. Anonymous Coward
    Boffin

    @ Jared Earle

    "How long before people use this as 'proof' there are Mac Viruses?"

    If it's not just a joke, try googling "first informatic virus ever" (or anything similar) (1).

    Since Apple now prevents Mac users from doing anything with their "computer" (2), no wonder Apple-geeks (3) are not publishing proof-of-concept viruses and exploits anymore. Which actually weakens Apple, in the end.

    (1)you bet, it was targeted to Apple OS

    (2) quotes, as how would you actually _compute_ anything under Apple OS now? Ho, how I would happilly kill for an Apple][-like thing with a G5, huge RAM and good design! (4) ;-)

    (3) does that still exist?

    (4) "physically" (5) and also good API design (6)

    (5) "good -though prolly a bit gay(7)- Apple designers. Pat pat pat"-style comment

    (6) "no comment"-style comment (8)

    (7) Not that it is a bad thing. I'm French after all.

    (8) Tired of that lil game already?

  97. Pierre
    Pirate

    WHY you can hack my boxes

    My boxes are sooo asking to be pwned. But, mind you, I'd better have my shiney computers hacked than missing that:

    http://www.taintedink.com/flash.htm

    (warning: Flash (or similar) security risk has to be installed to view the things). I do like the cat. And yes, this should definitely go on a newsgroup and not here, but thanks to my sick humor I have to many enemies on that medium :-D

    Idees

  98. Christian Harju

    os X security

    This event just proves that the overall security for all systems has reached a quite acceptable level. The problem is how user processes are trusted. Allthough os X was compromised through a user applications the os is built to qwithstand this kind of problems although apple is not using them nor promoting its use. But there are really good security howtos on hardening os X:s and even other bsd related materials are often usefull.

    The real issue is if you use the user with previleges to administer the computer or if you use a normal user. The first user is allways administrative user and i discourage os X users from using this. Make a normal user and use that instead. The biggest risk then is your user data and thats another story(make backups!).

    Just look at this as an example of using basic user account:

    http://www.macgeekery.com/tips/security/basic_mac_os_x_security

    I think you have to acknoledge that apple is two things separately (hardware manufacturer and software manufacturer) but also together in a shared symbiosis. As a longtime pc and linux user the things I like about apple are two things, premium hardware(even for linux/windows) and the os X operating system. Os X has loong been the only unix desktop os that you can buy with hardware and even comes preinstalled. This has been changing lately(even Michael Dell said that they would like to build os X hardware when apple was transitioning to intel camp) is not true anymore but has been for years, it took really long untill linux was supported by any pc manufacturers. Its also intressting to look at software for the platforms win/osx/bsd/linux. Even just other bsds and darwin (mac osx). Os X has a lot of comercial software adobe CS3(photoshop etc.), MS office 2008, as well as all bsd/gnu-license software that you can think of. This considered the other bsds: have just their own software with few comersial ones.

    The hardware is much better whatever operating system it runs. I think its one of the better linux machines as well. The operating system is absolutely great. I like the opensource community for software and install all the programs that i like from linux/bsd tree, apt and ports to mention a few. Of course if you are a gamer then macs arent that good but Wii/xb360/PS3 does that much better anyway ithink

  99. Steven Pepperell
    Go

    One way to be safe from flash exploits

    Use Lynx!

    No ads!

    Works with El Reg!

    What else do you need!

  100. Damian Gabriel Moran
    Coat

    @Steven Pepperell

    funny, I cannot get El Reg on my underarm deodorant

    ROM POM POM!

    the one that whiffs like the perfume counter at Boots

  101. Anonymous Coward
    Stop

    Response to a compromised system.

    >How about trying that and deleting the EXE from the system so

    >that it doesn't start after the next reboot?

    Pierre & David Webb were saying various similar things, about how to get back to the console to recover.

    But you don't know what the program that you're removing has done already.

    Such recovery (and can be done on any system of course) is only of any use for backing up the data on the system. The system should then be wiped and re-installed and the data selectively restored to the machine.

    Once anything is compromised, then everything is compromised. On any system.

  102. A J Stiles
    Linux

    @ Rob Dobs

    Within the GNU/Linux realm at least, the technique of discovering a brand-new vulnerability and sitting on it for awhile has a tendency to backfire. There's a strong chance that someone else with nobler intentions than yours will discover it -- and it will be patched away before you get a chance to make any use of it.

    For everyone going through the Source Code with a fine-toothed comb and intent on causing mischief, there will be several more examining the Source Code with the intent to fix any problems they find. The probability of a new exploit being used for mischief is simply the inverse of the ratio by which "good guys" outnumber "bad guys".

    In the Microsoft and Apple camps, though, the equation is reversed. Most of the "good guys" don't have the benefit of the Source Code. Remember also that both Microsoft and Apple are in the position where admitting to the existence of bugs in their software is equated with showing weakness.

  103. Steven Pepperell
    Black Helicopters

    @Damian Gabriel Moran

    I was going to say use Links but thought somebody would mistake it for something else. I was wrong, theres always one.

    Black Helichopers, cause Damian the pun police are after you! :P

  104. Shakje
    Gates Halo

    @Christian Harju

    No, you're wrong on many fronts.

    I quite recently bought a new PC, which I'm going to compare with Mac offerings.

    My spec:

    Quad core 2.4GHz (ie 9.6 total)

    2GB stock memory

    500GB stock HD

    GeForce 8600GT

    8x DVD RW

    -----------------

    £400

    I run Vista on this, and Ubuntu on my other PC which we use for work stuff, so I'll include this in the price, although I'd argue that I could run it with a *nix distro to make it more closely comparable in capability to OS X.

    £200

    Peripherals are gathered over the years, so I'm not going to include them. Anyone who's interested, my mouse is worth about £40, keyboard about £30 and monitor probably about £80, if that (CTX CRT oO), actually, what the hell. I'll throw in my headset as well.

    £200

    --------

    £800 total

    Now let's compare. iMac first.

    2.8GHz Intel

    Core 2 Extreme

    2GB memory

    500GB hard drive1

    8x double-layer SuperDrive

    ATI Radeon HD 2600 PRO with 256MB memory

    Ready to ship: 3 days

    Free Shipping

    £1,429.00

    (£1,216.16 ex VAT)

    Worse processor, worse graphics card, I would expect worse keyboard and mouse, no headset, better monitor but I really couldn't care less about that. Let's assume that the motherboard is as good, and, taking a real leap of the imagination, that the graphics card, keyboard, mouse, headset and CPU are balanced out by the monitor, that's a disparity of £630.

    Now I don't want to be harsh on Apple so I'll look at the Mac Pro as well. I tried to configure it as closely as possible to mine, ie no software extras, almost the same CPU, same GFX (although not quite, the difference in GFX card, ie the standard single Radeon, should balance the difference in CPU, ie the 2.8GHz quad, almost perfectly), same HD.

    Now let's take the monitor and headset off of my specs price, bringing it to £670. 16X over 8X DVD drive is pretty negligible price-wise. Cost of this system?

    £1,489.00

    That's a difference of over £800. Just to put that in perspective, the difference is 122% more than I paid for my system, including Vista. Just for jokes, let's say I used Ubuntu on it instead. I'd be paying £1,019 more for an equivalent Apple system. That's 216% more. Just to point out, I was expecting there to be a difference, but seeing this really does shock me.

  105. Ken Hagan Gold badge

    @Pierre

    "I believe that it's because the privilege of a process in Win is given by the app itself, not by the rights of the user who launches it. Which is very bad."

    It would be, but you are completely mistaken. A process in Windows may have fewer privileges than the launching user, but not more. (Windows has no setuid bit, for example.) There are two reasons why you might have acquired this misconception. Firstly, WAY too many lusers "run as Admin" on Windows. Secondly, once a regular account has been compromised, it MAY (and I'm no expert in these matters) be relatively straightforward to elevate that compromise to the whole system using some local vulnerability. (Clearly the "winning" flash exploit used this approach, so there must be at least one such unpatched hole in Vista.)

  106. Ken Hagan Gold badge

    So all three OSes are bombproof?

    I'm struck by the fact that the prize money was greatest on day one but "No-one bothered competing on day one".

    I would infer from this that those who know most about cracking the three systems in question are unanimous in their belief that all three are so bombproof that it WASN'T EVEN WORTH TRYING.

  107. Pierre
    Flame

    @Ken Hagan

    "A process in Windows may have fewer privileges than the launching user, but not more."

    That's surely why, in the example I mentioned, an app lauched by an unprivileged user was able to keep running with unlimited privilege in every user's session, including the admin account. I must have been fooled by my misconceptions. I must have IMAGINED that these 20 windows per second were spawning, surely.

    "(Windows has no setuid bit, for example." setuid... right no good. Not allowed on my systems (and should be considered as deprecated). But to be honest, when one chooses to install an app with the "setuid" bit, one should be prepared to face problems, And do do so you MUST be admin ( and a stupid admin, if I can give my opinion).

    "Firstly, WAY too many lusers "run as Admin" on Windows"

    True. That's because WAY too many Ladmins allows them to.

    "Secondly, once a regular account has been compromised, it MAY (and I'm no expert in these matters) be relatively straightforward to elevate that compromise to the whole system using some local vulnerability"

    Clearly you're not expert in these matters. Once a luser account has been compromised under Windoze, it is indeed quite easy to compromise the whole system (due to the very lame privilege separation in Win, this was what I was saying in my previous comments, you M$ fanbois can still read, right?). This is "almost" impossible on a *NIX system (the "almost" being here thanks to the 0.00001% stupid *NIX admins who give sudo permissions away).

    And still. An app's privileges are not dependent on the originating user's permissions under Windows. Definitely not. And that's the problem. Do you need yet another example? A user with "limited admin privilege" can be allowed to install an application, but still be unable to mess with the system's core. Still, if the installation process involves the creation of Desktop shortcuts, every account on the system will end up with the shortcut on the desktop. That's nothing, as compared to the case I described upper in this thread. But it further proves that privilege separation is lame in Windows.

  108. Pierre
    Happy

    @Ken Hagan (bombproof)

    Right-o. All 3 OSes are now quite secure, which does not mean that they can sit outside a tightly controlled local network. Good to see that MS finally caught up on the security ground (their counter-measures can be bypassed, but it's still a significant improvement). Bad news for Apple, but it's a consequence-less waking call, I'm sure they can harden the bloody thing. Linux guys shouldn't sleep on that one, sure, but that's not the way "they" (neutral-style distanciation) usually behave.

    Let's all ditch our PC-like machines and switch to VMS, VX teams are just waiting for "new" challenges!

  109. Ken Hagan Gold badge

    @Pierre

    "... in the example I mentioned, an app lauched by an unprivileged user was able to keep running with unlimited privilege in every user's session, including the admin account. I must have been fooled by my misconceptions. I must have IMAGINED that these 20 windows per second were spawning, surely."

    Alternatively you chose to ignore the fact that there are privilege elevation attacks available once the malware is running locally. Funnily enough, you go on to discuss such things.

    "And still. An app's privileges are not dependent on the originating user's permissions under Windows. Definitely not. And that's the problem. Do you need yet another example? A user with "limited admin privilege" can be allowed to install an application, but still be unable to mess with the system's core."

    I'm sorry, but an app's privileges are TOTALLY dependent on the originating user's permissions under Windows, just as in VMS. Does the existence of privilege elevation attacks under Unix mean that processes under Unix all run with super-user privileges? Thought not.

    Why do you refer to "limited admin privilege"? Any fule no that there's no such thing under Windows. Perhaps you believe that "Power Users" are less than full admins, in which case I hope you aren't responsible for adminstering any Windows boxes? Why do you cite the example of a desktop shortcut for all users, when pleb users don't have access rights to create such a thing?

  110. Jim
    Boffin

    @ Shakje

    Yes you can get a non-Apple machine pretty cheap but to compare Windows to Mac you should really comare a to another 'big name' manufacturer.

    Why don't you go and compare the Dell One (£999) with the iMac 20" (£949), very similar systems. The mac only has half the memory (1Gb) but a faster processor (2.4 vs 2.2). Apple flog the memory upgrade for £60 so that would put the iMac at £1009. Can't comment on the difference in graphics.

    Looks like the iMac price is actually pretty reasonable when truely compared like for like.

  111. Fox
    Jobs Halo

    @Jim

    Why?

    Why should you "...really comare a to another 'big name' manufacturer."?

    The kit Shakje selected for his comparison was all perfectly respectable and comparable stuff - and available from a vast range of sources. I think that may be the point he was making!

    Why is it that Apple fanboys seem to *expect* to be exploited by a "big name" corporation? Bless them.

    The icon (irony alert) is sarcasm btw.

  112. Anonymous Coward
    Boffin

    @ Jim

    True enough... It you want a perfect comparison, then you must include an element of being ripped off by a "'big name' manufacturer". Was it your intention to reiterate the point which Shakje made?

  113. Mark

    @Uffe Seerup

    Well, using Adobe flash to get local access is Adobe's fault. However, using an IE javascript bug to get root access is MS's fault.

    They could fix that, couldn't they?

  114. Shakje

    @AC

    Actually he was making another point which I neglected, you have the option of being ripped off by a PC manufacturer, but if you want to buy a Mac you have to accept that you WILL be ripped off. I'm not going to compare the other features, but even Mac fanboys have to accept that when they buy a system they are paying far over the odds for the hardware, I just wonder if they know exactly how much....

  115. Uffe Seerup

    @Mark

    What IE Javascript bug? I thought he used a *Java* bug to circumvent extra security put in place by SP1. This is the first I heard of both root access (which weren't required to win) and Javascript being involved. Do you have links?

This topic is closed for new posts.

Other stories you might like