Security Showdown: OS X Caves First, Vista Buckles (Due To Flash), Ubuntu Wins - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
Commentary
3/31/2008
09:10 AM
David Berlind
David Berlind
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Security Showdown: OS X Caves First, Vista Buckles (Due To Flash), Ubuntu Wins

At the 2008 edition of the PWN to OWN security showdown at CanSecWest (Canada Security West) in Vancouver, an Ubuntu distribution of GNU Linux took top honors after Apple's Mac OS X and Microsoft's Windows Vista eventually caved under hacker pressure. All OSes were up-to-date with the latest patches.

At the 2008 edition of the PWN to OWN security showdown at CanSecWest (Canada Security West) in Vancouver, an Ubuntu distribution of GNU Linux took top honors after Apple's Mac OS X and Microsoft's Windows Vista eventually caved under hacker pressure. All OSes were up-to-date with the latest patches.According to Ars Technica:

All [OSes] held out for the first day of the contest (remotely exploitable vulnerabilities), and so the rules were relaxed on the second day to also include any default installed client-side applications. This led to a quick compromise of Safari, and therefore of the MacBook Air laptop….On the third day, the rules were changed again: "popular" third-party client applications were added to the mix, and this is where Vista's security features could not keep up…..[due to a] previously undiscovered flaw in the latest version of Adobe's Flash software…

Shorly after last year's PWN to OWN contest, Apple was left holding the bag and had to patch Quicktime. This year, it looks like Safari was the culprit and Apple will once again issue a patch as a result of the competition (disclosure: after running exclusively on IBM Thinkpads since the first one came out, I now use a MacBook Pro as my primary machine).

One of the ground rules of the hack-a-thon is that any vulnerabilities that are uncovered as a result of the competition are "responsibly reported" to the OS vendors before being disclosed to the public. This gives companies like Apple and Microsoft an opportunity to patch the vulnerabilities before any public release of their details could lead to attempted exploits. Details of the vulnerability in Adobe's most recent version Flash (the one that led to the compromise of Windows Vista) were disclosed to Adobe.

Meanwhile, it's unknown whether the vulnerability in Safari that led to a compromise of Mac OS X will have any impact on the version of Safari that was recently issued for Windows.

Still, the key take-aways from the competition in my estimation were (1) OS X had some insecurities coming right out of the box (since Safari comes built-in to OS X) and (2) third-party applications like Adobe's Flash are still capable of introducing vulnerabilities to Windows. Clearly, the former is less acceptable than the latter. But I'd argue that the latter is even more insidious because of how it means malware could intentionally open the same back doors that Adobe's Flash did. To be fair, OS X buckled early enough in the hacking that it was never determined if third party apps could introduce new vulnerabilities as well. The way the competition works, as soon as a hacker compromises the security of the system, that OS is eliminated from the competition and the hacker gets to keep the system.

One suggestion that I routinely make to all Vista users: run Vista as a lesser privileged user. In other words, as a non-administrator. I'm not sure if doing so would have prevented any exploits due to the Flash-vulnerability that was discovered at CanSecWest, but there really are very few penalties for running Vista as a non-administrator (well, there's one very annoying one where end-users can't stop their system from auto-rebooting after a Windows Update).

Anyway, congratulations to the winners of the contest who got to walk home with the notebook computers running the OSes that were compromised (eg: the aforementioned MacBook Air).

Speaking of contests, we usually have some great prizes at The Best Startup Contest at Startup Camp. The next Startup Camp will take place in San Francisco on May 4th and May 5th. We haven't announced the prizes yet but first place prize is usually a high-end AMD Opteron-based server from Sun (of the sort that any startup could use to help drive their business). For more information, checkout www.startupcamp.org.

See also: Linux Wins The Security Showdown! Now What? (by Serdar Yegulalp)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll