Linux: Last OS Standing

[phernandez]

Vista second OS to fall to hackers in security contest - Ars Technica

After Mac OS X, Vista fell at PWN2OWN. Linux persevered, however...

Microsoft's Internet Explorer team should see this as a great accomplishment considering how poor IE6's security record has been. It looks like Vista's IE7 stood up to the challenge. Nevertheless, Vista's fall on the last day left the Sony Vaio laptop running Ubuntu as the ultimate winner—Linux was the last OS left standing.

Grats to Ubuntu!

[Negative]

I think the following reply to that article places everything in perspective:

RGMBill's comment
Vista was indeed "beaten" by a flaw in Flash.... but the people who exploited it said the flaw was in ALL versions of Flash, meaning that they had a choice of choosing the Vista laptop or the Ubuntu laptop, as the one they cracked, they kept (the Macbook was cracked the day before, and so wasn't in the running) ... the Vista laptop was a bit nicer and more expensive, so they went for it.

If the Linux laptop had been more valuable, they would have done the exploit via Linux. And then the headlines would say "Vista uncracked!" or some other, also misleading, title.

[MrLinus]

Interesting. Although I've started developing a personal hate for IE7 at this point for other reasons. I think this may highlight that a lot of vulnerabilities are no longer OS specific and that one shouldn't assume that just because it's not listed for your OS that you aren't vulnerable (until it's verified as such -- and even then, I'd be suspicious).

[phernandez]

Good find, Neg. Thanks!

[JPnyc]

Yet another reason to keep flash disabled, as if I needed one.

[gore]

But then you can't watch Strong Bad !



anyway, even though I'm mostly a UNIX type OS user, I'm with Neg on this one too in that they could have gone for either OS. What they should have done afterwards was make an announcement and see if anyone could get either one without that.

Testing OS security using non platform specific exploits is kind of like saying my car is better because no one tossed a brick through the windows (pun!) like they do on Chevy cars.

That doesn't mean no one can break the Windows (Pun!!!!) it just means no one has unless I'm using special glass that can take a brick.

[JPnyc]

I don't even know what that is.

[nihil]

I agree with gore on this one.............well mostly. This is the bit that caught my attention:

all held out for the first day of the contest (remotely exploitable vulnerabilities), and so the rules were relaxed on the second day to also include any default installed client-side applications. This led to a quick compromise of Safari, and therefore of the MacBook Air laptop. Vista and Linux remained unscathed.

I think that it is reasonable to include default installations if you are looking at the average user vulnerability angle; but user chosen third party software is a totally different issue.

Actually the whole exercise strikes me as some sort of farce. The way I see it they had to move the goalposts twice and even then none of the OSes was actually compromised?

[brokencrow]

Arstechnica didn't have the whole story. The Register reported Shane Macaulay, who hacked Vista in the contest, was initially thwarted by Vista's SP1, "which he had neglected to install when testing the Flash exploit in the days leading up to the contest. Per the contest rules, each target machine had to be fully patched, and when the researcher first ran the code during the competition, new page protections added by Microsoft's security team prevented the exploit from properly executing."

Macaulay fashioned some javascript to finish off the job. It is a bit of a farce, isn't it, but aren't all games? As for Ubuntu, it looks like security-by-obscurity has its place, albeit a minor one.

[gore]

Had they used Slackware we wouldn't be arguing to begin with, you have to install flash manually with that normally.