CanSecWest: Vista taken down – Linux last one standing

by Steve Ragan - Mar 31 2008, 19:37

There were two laptops left on the final day of the PWN2OWN contest. The MacBook Air was the first to fall, and the second laptop to be hacked for this years contest was the Fujitsu U810 running Windows Vista Ultimate with Service Pack 1.

Shane Macaulay, whom you might remember as the person who took the Mac from last year’s contest, used some interesting tricks to take down the Vista box. Macaulay, with VMware researcher Alexander Sotirov and his friend and co-worker Derek Callaway, exploited cross-platform vulnerabilities in Java to take over the machine.

“The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place,” Macaulay said, adding that the exploit could be used on OS X and Linux.  While the exact details of the exploit are unavailable, what is known is that Macaulay won the Vista laptop after an updated version of Adobe Flash was installed.

“The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue. Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability,” TippingPoint said on their blog.

For his efforts, Macaulay will take the Fujitsu U810, and $5000. On Thursday, Charlie Miller, Jake Honoroff, and Mark Daniel, each with Independent Security Evaluators, took down the MacBook Air, and earned the laptop and the second day prize of $10,000.

Last year, there was much debate over the nature of the exploit used in the ‘PWN2OWN’ contest held by CanSecWest. At the end of the day, Dino Dai Zovi (Who attended in person this year.), through his friend Shane Macaulay, took the top prize of $10,000 for successfully gaining root level access to OS X. (The root level was contested by fan boys and some experts. However, the prize was ultimately awarded.)

The interesting aspect is that Ubuntu was the only operating system left standing. While some of the contestant’s located bugs in the Linux Kernel and other installed applications, many did not want to put the effort into writing the exploit code in order to win the contest, according to Terri Forslof of TippingPoint.

Does this mean Ubuntu (Linux Kernel) is more secure? No, it does not. Does this mean Vista is more secure than a Mac, or vice versa? Not. Even. Close. What this proves is that money will motivate some people, hardware will motivate others, and some people just like finding the problems, not exploiting them.

PWN2OWN is officially over, until next year. You can track the exploit here: http://www.zerodayinitiative.com/advisories/upcoming/

Around the Web