Shane Macaulay from Security Objectives has won a Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash during the third and final day of CanSecWest PWN2OWN 2008 contest. He also won $5,000 from TippingPoint, the contest’s sponsor.
MacDailyNews Take: Ooh, a Fujitsu U810 laptop running Vista Ultimate SP1. Hello, eBay?
“Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov,” TippingPoint reports.
“The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue,” TippingPoint reports. “Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability.”
Full article here.
MacDailyNews Take: This news item will get 1/1,000th of the coverage of the Mac story because everyone expects Windows to be hacked. And that tells you just about all you need to know about both the media and the track records of each OS.
Check out RoughlyDrafted for more about security on Macs, the media’s reactions, and more here.
This news item will get 1/1,000th of the coverage of the Mac story because everyone expects Windows to be hacked.
Actually, it will get 1/1000th of the coverage because the exploit had nothing to do with Microsoft software. According to Engadget, the exploit took advantage of a cross-platform Java vulnerability — which means the exploit will work on ANY computer with the same version of Java (Macs included).
http://www.engadget.com/2008/03/29/linux-becomes-only-os-to-escape-pwn-2-own-unscathed/
The Safari hack was created well ahead of the contest. The time it took is irrelevant. You don’t actually think it took just two minutes for that hacker to create website to compromise the MacBook Air. It probably took weeks.
You’re partially right. The Mac exploit almost certainly took weeks or months to develop.
However, the time taken (in days) to hack the various computers DOES matter. With each day, restrictions are lifted that make hacking easier. The faster the computer is hacked (in days), the more severe the vulnerabilities of the computer. That’s why the prize money for the Mac was $10,000 and the Vista PC was only $5,000 — they were hacked on different days.
On the second day, no third-party software can be installed. This is why the Vista PC took until later in the competition to be hacked — the Vista exploit, unlike that of the Mac, relied on third-party software.
Damn dont you love the irony of this all. I remember a very positive way to go for making Apple a little bit safer, and of course now its Vista what a piece of junk. MDN I love your reporting if for nothing else than to read the oposite into every story.
Fanbois give it up and be happy with what you got, And let the rest of us 95% be happy with what we got.
He’ll probably sell that piece of junk on eBay anyway.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
What kind of bullshit is this. An unprotected Vista machine on the internet would have been pwned by a Russian or Chinese spammer before the first contestant got anywhere near it.
It’s the kind of bullshit you read on Mac Fanboy sites like MDN. My unprotected Dell with Vista has been on the internet for a year and it’s never been pwned by anyone. When are you Mac Freaks going to realize Mac OS X is no better or worse than anything else – it’s just more obscure and different.
The writing should’ve been on the wall when Apple released Safari for Windows touting it as the most secure browser ever. Within hours of being released on the Windows platform, security researchers discovered several serious flaws in Safari – most of them which applied to the Mac version as well.
The world of Windows is battle hardened and secure, and gets scrutinized every day. Macs have Swiss Cheese security and Mac users have big inflated heads. Every once in awhile we like to pin prick a MacHead and watch it pop.
We now return you to your regularly scheduled Mac Illusion on MDN…….
> > I hate to say it, I hate MS more than anyone, but they took an extra day and needed more of the safeties released.
> The Safari hack was created well ahead of the contest. The time it took is irrelevant. You don’t actually think it took just two minutes for that hacker to create website to compromise the MacBook Air. It probably took weeks.
No, the person you think you’re answering is right. Your comments about preparation are irrelevant to the comment the other poster made.
The Vista machine went on the *third day*. That means it went *after* third-party software was added to the mix. The third-party software was Adobe Flash. The Leopard machine didn’t need third-party software to be vulnerable. Apple’s *own* software — in the form of Safari — was enough.
> The reason the Mac was compromised faster in the contest was because the competitors wanted a MacBook Air much more than a Fujitsu.
No, it’s not.
I dislike Microsoft as much as the next man — more than most, in fact. But I’m not going to tell lies about them.
Charlie Miller said they went for the MacBook Air because it was the easy target.
You know Miller is the expert; Miller is the ex-NSA guy; Miller is the guy that “pwned” the machine. He’s the one that knows, not you.
QUOTE:
“‘It was the easiest one of the three,’ said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. ‘We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X.’ “
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=operating_systems&articleId=9072959&taxonomyId=89&intsrc=kc_top
And other might note that the same applies to some fool like Daniel Eran (who probably never wrote a line of code in his life) and merely writes whatever he wants to believe without knowing very much about any of it.
That should be the end of the silly bleating on this one.
But Miller also said:
“… ‘We were equally capable of finding [a vulnerability] in Windows if we had to,’ he said.”
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959&pageNumber=2
So overall we’ve learned what we already knew: current OSes can be broken relatively easily by highly skilled professionals, and internet-facing applications (web browsers, media players, plugins like Adobe Reader or Flash, etc.) are particularly exploitable.
However, the fact remains that OS X was the easiest to break. That’s what the guy who did it says, and he should know.
However, don’t sell your Mac yet …
In the real world few people are actively trying to exploit vulnerabilities on the Mac, because there’s not the profit in it. Keep the Mac, but ignore the “fanboy” columnists and read Mac people who have a bit of disinterestedness and who know what they’re talking about — like Rich Mogull, for example:
http://db.tidbits.com/article/9529
It seems to me that more and more of the exploits that are being created rely heavily on the social aspect then on brute force. Folks are incited, conned, lied to, tricked, or are knowingly putting themselves at risk. Poor user practices seem to be the weak link right now so this is what is being exploited.
So yes, some flaw is being exploited, but it never could be exploited without someone making a bad decision. Computers must be getting more technically secure, there is significant pressure for that to happen. But are users becoming smarter users?
If users are becoming better around smarter computing then this should have some kind of metric attached to it in these security con-tests. I would imagine a demographic model would apply as well. As it stands the PWN2OWN contest doesn’t seem that scientific.
“Well, at least you can browse the web safely with the Fujitsu U810 laptop running Vista Ultimate SP1…”
rotflmao!
and naturally, it comes from “reality check”!
….where reality never enters the picture.
“In the real world few people are actively trying to exploit vulnerabilities on the Mac, because there’s not the profit in it.”
really? there is no profit in hacking machines owned largely by home users, in a niche market, heavily populated by six figure making yuppies? who use their machines for internet banking and stock trades?
nah, the real profit is in those dime a dozen windows point of sale machines that are constantly watched by a team of IT guys even though there is nothing useful or valuable on the machine.
so basically, your a moron and you admit it in comment threads? stfu.
“Third party” or not, it is irrelevant.
Safari may be created by Apple, but it is not part of the OS itself.
Adobe Flash may not be created by Microsoft, but it is pre-installed on almost every Windows PC sold.
So what’s the difference in terms of real world vulnerability. None. Please think beyond the rules of this staged contest.
I think everyone’s missing the point. The Mac got hacked first because you were getting a MacBook Air!! if you could hack it (plus $10,000 ain’t too shabby). Why bother hacking those other platforms when you were getting a piece ‘o’ crap laptop with a subpar OS on it as a “prize”?
Sorry shen but you are a moron. Get out a bit and read beyond the Apple party line. Mac security is crap and it appears most of the IT world knows it now.
Linux still going huh?
I think I’ll do a MDN and turn off my firewalls for a week to celebrate
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
If they would have hacked all of them, they would have $30,000 and three laptops. There wasn’t a limit of one hacked machine per person. Remember they had 30 minutes, that left 28 for the others.
Last year it was a Quicktime exploit in 30 minutes. Maybe writing software to run on a wide variety of hardware isn’t as simple as you think.
Oh wait, the Linux laptop wasn’t hacked. I guess it is that easy.
I’m a little disappointed in OS X. Very surprised as well. I mean, 2 minutes? Vista lasted 30 minutes at least. Please close the discussion regarding wether it was an OS hack or a third party app, EVERY mac comes with Safari. If its a Safari hack its essentially an OS X hack.
Different people that are willing to have A+ find a reliable paper writing service to buy their sample essay from. The same actions we do also.
Tired of spending days for analysis essay creating? Worry no more! Buy essay papers online from essay writing service and be sure that you have got great quality papers.
In fact, lots of students in the whole world buy term paper every single day. Thence, I can argue that the writing service can be really popular in various students’ circle.
I guess that you know how complicated could the customized research paper creating be. But, you must not be confused, just because the writing services offer the application paper writing and there is no problem to buy essay editing service and be totally satisfied.
The freelance writing jobs will not resolve your problems, thus, tha’s possible to get some knowledge referring to this post.
That’s really important to complete the good biographies essay paper or just term papers referring to this good topic to have the good grade at the high school.
I would ne’er have guessed that the online social bookmark service could aid so much in web site optimization. Nevertheless, it worked.
The american history essay presented by famous custom papers writing services could be found by everybody on line. Hence, this is easy to receive essays very cheap.
Several days ago I downloaded the free real ringtones from the ringtone firm and used to be definitely satisfied.
Some time before, I did need to buy a house for my firm but I did not earn enough money and could not order anything. Thank God my colleague adviced to try to get the credit loans at trustworthy creditors. Hence, I did so and used to be happy with my collateral loan.
Do you know that you will to determine the interesting idea close to essay editing or about this good post at the distinguished essay writing service. Hence, you a possibility to try out that.