Security Showdown: OS X Caves First, Vista Buckles (Due To Flash), Ubuntu Wins
At the 2008 edition of the PWN to OWN security showdown at CanSecWest (Canada Security West) in Vancouver, an Ubuntu distribution of GNU Linux took top honors after Apple's Mac OS X and Microsoft's Windows Vista eventually caved under hacker pressure. All OSes were up-to-date with the latest patches.
All [OSes] held out for the first day of the contest (remotely exploitable vulnerabilities), and so the rules were relaxed on the second day to also include any default installed client-side applications. This led to a quick compromise of Safari, and therefore of the MacBook Air laptop….On the third day, the rules were changed again: "popular" third-party client applications were added to the mix, and this is where Vista's security features could not keep up…..[due to a] previously undiscovered flaw in the latest version of Adobe's Flash software…
Shorly after last year's PWN to OWN contest, Apple was left holding the bag and had to patch Quicktime. This year, it looks like Safari was the culprit and Apple will once again issue a patch as a result of the competition (disclosure: after running exclusively on IBM Thinkpads since the first one came out, I now use a MacBook Pro as my primary machine).
One of the ground rules of the hack-a-thon is that any vulnerabilities that are uncovered as a result of the competition are "responsibly reported" to the OS vendors before being disclosed to the public. This gives companies like Apple and Microsoft an opportunity to patch the vulnerabilities before any public release of their details could lead to attempted exploits. Details of the vulnerability in Adobe's most recent version Flash (the one that led to the compromise of Windows Vista) were disclosed to Adobe.
Meanwhile, it's unknown whether the vulnerability in Safari that led to a compromise of Mac OS X will have any impact on the version of Safari that was recently issued for Windows.
Still, the key take-aways from the competition in my estimation were (1) OS X had some insecurities coming right out of the box (since Safari comes built-in to OS X) and (2) third-party applications like Adobe's Flash are still capable of introducing vulnerabilities to Windows. Clearly, the former is less acceptable than the latter. But I'd argue that the latter is even more insidious because of how it means malware could intentionally open the same back doors that Adobe's Flash did. To be fair, OS X buckled early enough in the hacking that it was never determined if third party apps could introduce new vulnerabilities as well. The way the competition works, as soon as a hacker compromises the security of the system, that OS is eliminated from the competition and the hacker gets to keep the system.
One suggestion that I routinely make to all Vista users: run Vista as a lesser privileged user. In other words, as a non-administrator. I'm not sure if doing so would have prevented any exploits due to the Flash-vulnerability that was discovered at CanSecWest, but there really are very few penalties for running Vista as a non-administrator (well, there's one very annoying one where end-users can't stop their system from auto-rebooting after a Windows Update).
Anyway, congratulations to the winners of the contest who got to walk home with the notebook computers running the OSes that were compromised (eg: the aforementioned MacBook Air).
Speaking of contests, we usually have some great prizes at The Best Startup Contest at Startup Camp. The next Startup Camp will take place in San Francisco on May 4th and May 5th. We haven't announced the prizes yet but first place prize is usually a high-end AMD Opteron-based server from Sun (of the sort that any startup could use to help drive their business). For more information, checkout www.startupcamp.org.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.