Infrastructure // PC & Servers
Commentary
3/31/2008
09:10 AM
David Berlind
David Berlind
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Security Showdown: OS X Caves First, Vista Buckles (Due To Flash), Ubuntu Wins

At the 2008 edition of the PWN to OWN security showdown at CanSecWest (Canada Security West) in Vancouver, an Ubuntu distribution of GNU Linux took top honors after Apple's Mac OS X and Microsoft's Windows Vista eventually caved under hacker pressure. All OSes were up-to-date with the latest patches.

At the 2008 edition of the PWN to OWN security showdown at CanSecWest (Canada Security West) in Vancouver, an Ubuntu distribution of GNU Linux took top honors after Apple's Mac OS X and Microsoft's Windows Vista eventually caved under hacker pressure. All OSes were up-to-date with the latest patches.According to Ars Technica:

All [OSes] held out for the first day of the contest (remotely exploitable vulnerabilities), and so the rules were relaxed on the second day to also include any default installed client-side applications. This led to a quick compromise of Safari, and therefore of the MacBook Air laptop….On the third day, the rules were changed again: "popular" third-party client applications were added to the mix, and this is where Vista's security features could not keep up…..[due to a] previously undiscovered flaw in the latest version of Adobe's Flash software…

Shorly after last year's PWN to OWN contest, Apple was left holding the bag and had to patch Quicktime. This year, it looks like Safari was the culprit and Apple will once again issue a patch as a result of the competition (disclosure: after running exclusively on IBM Thinkpads since the first one came out, I now use a MacBook Pro as my primary machine).

One of the ground rules of the hack-a-thon is that any vulnerabilities that are uncovered as a result of the competition are "responsibly reported" to the OS vendors before being disclosed to the public. This gives companies like Apple and Microsoft an opportunity to patch the vulnerabilities before any public release of their details could lead to attempted exploits. Details of the vulnerability in Adobe's most recent version Flash (the one that led to the compromise of Windows Vista) were disclosed to Adobe.

Meanwhile, it's unknown whether the vulnerability in Safari that led to a compromise of Mac OS X will have any impact on the version of Safari that was recently issued for Windows.

Still, the key take-aways from the competition in my estimation were (1) OS X had some insecurities coming right out of the box (since Safari comes built-in to OS X) and (2) third-party applications like Adobe's Flash are still capable of introducing vulnerabilities to Windows. Clearly, the former is less acceptable than the latter. But I'd argue that the latter is even more insidious because of how it means malware could intentionally open the same back doors that Adobe's Flash did. To be fair, OS X buckled early enough in the hacking that it was never determined if third party apps could introduce new vulnerabilities as well. The way the competition works, as soon as a hacker compromises the security of the system, that OS is eliminated from the competition and the hacker gets to keep the system.

One suggestion that I routinely make to all Vista users: run Vista as a lesser privileged user. In other words, as a non-administrator. I'm not sure if doing so would have prevented any exploits due to the Flash-vulnerability that was discovered at CanSecWest, but there really are very few penalties for running Vista as a non-administrator (well, there's one very annoying one where end-users can't stop their system from auto-rebooting after a Windows Update).

Anyway, congratulations to the winners of the contest who got to walk home with the notebook computers running the OSes that were compromised (eg: the aforementioned MacBook Air).

Speaking of contests, we usually have some great prizes at The Best Startup Contest at Startup Camp. The next Startup Camp will take place in San Francisco on May 4th and May 5th. We haven't announced the prizes yet but first place prize is usually a high-end AMD Opteron-based server from Sun (of the sort that any startup could use to help drive their business). For more information, checkout www.startupcamp.org.

See also: Linux Wins The Security Showdown! Now What? (by Serdar Yegulalp)

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.