Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking
contestContestant overcomes bout of 'hacktile dysfunction'
By Dan Goodin in Vancouver → More by this author
Published Saturday 29th March 2008 21:27 GMT


Improve IT Culture and employee satisfaction in your business - Sign up
for the latest RegCast here
CanSecWest A laptop running a fully patched version of Microsoft's Vista
operating system was the second and final machine to fall in a hacking
contest that pitted the security of Windows, OS X and Ubuntu Linux. With
both a Windows and Mac machine felled, only the Linux box remained
standing following the three-day competition.

Shane Macaulay, who played a hand bringing down a Mac during last year's
Pwn2Own contest, defeated the Vista machine using a previously unknown
vulnerability in Adobe Flash. On final day of the CanSecWest conference
in Vancouver, Macaulay spent the better part of four hours trying to get
the exploit to work. (The delay prompted one spectator to playfully dub
the difficulty "hacktile dysfunction.")

A MacBook Pro running a fully patched version of Leopard was the first
to drop out during day two of the race, when researchers from
Independent Security Evaluators demonstrated a previously unknown
vulnerability in Apple's Safari browser. With brand new boxes running
both Ubuntu and Vista remaining, Macaulay spent day three switching back
and forth between the two machines, trying to get his Flash exploit to
execute properly. He was assisted by Alex Sotirov, a security researcher
at VMware.

Initially thwarting Macaulay's efforts was the recently released Service
Pack 1 for Vista, which he had neglected to install when testing the
Flash exploit in the days leading up to the contest. Per the contest
rules, each target machine had to be fully patched, and when the
researcher first ran the code during the competition, new page
protections added by Microsoft's security team prevented the exploit
from properly executing.

"They had done some stuff in Vista to prohibit this form of attack from
being successful on third party software," Macaulay said minutes after
he finally commandeered the Fujitsu U810 laptop. "We had to do some
porting to get around that issue."

Macaulay and Sotirov fashioned some javascript to circumvent the new
measure, a feat that effectively allows them "to render that protection
ineffective," Macaulay said.

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero
Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he
would probably sell the machine, which he and Sotirov autographed with a
black Sharpie pen, on eBay.

Under contest rules, qualifying exploits on day one had to target
default installations of the operating system itself and winners were
allowed to walk away with the hacked box and a $20,000 bounty. Contest
organizers gradually expanded the eligible attack surface on days two
and three by allowing an vulnerabilities in an increasing number of
third party applications. The bounty dropped to $10,000 on day 2 and
$5,000 on day three. No one bothered competing on day one.

Plenty of commentators have made hay of the MacBook Pro being the first
to exit the race, and Linux zealots are sure to conclude the contest
results prove the superiority of that platform. Maybe. But that's not
how it looks to Macaulay, who says with a few hours of tweaking, his
exploit will also work on OS X and Linux.

The better take-away is that exploits like these are a fact of life for
everyone no matter what kind of machine they choose (are you listening,
Mac Guy?). Another lesson: just as quickly as Microsoft or any other
developer adds new measures like page protection to their code base,
hackers, ethical and otherwise, are find ways to work around them.

"Nobody can do anything about it, because you're always going to be
installing something" that will bypass security, Macaulay, who wore torn
blue jeans and a Puma jogging jacket, said with a shrug. "If it's not
Java, it'll be something else." ®