Bad security news for Vista

[Guest nospam]

Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking

contestContestant overcomes bout of 'hacktile dysfunction'

By Dan Goodin in Vancouver → More by this author

Published Saturday 29th March 2008 21:27 GMT

 

--------------------------------------------------------------------------------

 

CanSecWest A laptop running a fully patched version of Microsoft's Vista

operating system was the second and final machine to fall in a hacking

contest that pitted the security of Windows, OS X and Ubuntu Linux. With

both a Windows and Mac machine felled, only the Linux box remained

standing following the three-day competition.

 

Shane Macaulay, who played a hand bringing down a Mac during last year's

Pwn2Own contest, defeated the Vista machine using a previously unknown

vulnerability in Adobe Flash. On final day of the CanSecWest conference

in Vancouver, Macaulay spent the better part of four hours trying to get

the exploit to work. (The delay prompted one spectator to playfully dub

the difficulty "hacktile dysfunction.")

 

A MacBook Pro running a fully patched version of Leopard was the first

to drop out during day two of the race, when researchers from

Independent Security Evaluators demonstrated a previously unknown

vulnerability in Apple's Safari browser. With brand new boxes running

both Ubuntu and Vista remaining, Macaulay spent day three switching back

and forth between the two machines, trying to get his Flash exploit to

execute properly. He was assisted by Alex Sotirov, a security researcher

at VMware.

 

Initially thwarting Macaulay's efforts was the recently released Service

Pack 1 for Vista, which he had neglected to install when testing the

Flash exploit in the days leading up to the contest. Per the contest

rules, each target machine had to be fully patched, and when the

researcher first ran the code during the competition, new page

protections added by Microsoft's security team prevented the exploit

from properly executing.

 

"They had done some stuff in Vista to prohibit this form of attack from

being successful on third party software," Macaulay said minutes after

he finally commandeered the Fujitsu U810 laptop. "We had to do some

porting to get around that issue."

 

Macaulay and Sotirov fashioned some javascript to circumvent the new

measure, a feat that effectively allows them "to render that protection

ineffective," Macaulay said.

 

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero

Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he

would probably sell the machine, which he and Sotirov autographed with a

black Sharpie pen, on eBay.

 

Under contest rules, qualifying exploits on day one had to target

default installations of the operating system itself and winners were

allowed to walk away with the hacked box and a $20,000 bounty. Contest

organizers gradually expanded the eligible attack surface on days two

and three by allowing an vulnerabilities in an increasing number of

third party applications. The bounty dropped to $10,000 on day 2 and

$5,000 on day three. No one bothered competing on day one.

 

Plenty of commentators have made hay of the MacBook Pro being the first

to exit the race, and Linux zealots are sure to conclude the contest

results prove the superiority of that platform. Maybe. But that's not

how it looks to Macaulay, who says with a few hours of tweaking, his

exploit will also work on OS X and Linux.

 

The better take-away is that exploits like these are a fact of life for

everyone no matter what kind of machine they choose (are you listening,

Mac Guy?). Another lesson: just as quickly as Microsoft or any other

developer adds new measures like page protection to their code base,

hackers, ethical and otherwise, are find ways to work around them.

 

"Nobody can do anything about it, because you're always going to be

installing something" that will bypass security, Macaulay, who wore torn

blue jeans and a Puma jogging jacket, said with a shrug. "If it's not

Java, it'll be something else." ®

[Guest Dustin Harper]

Re: Bad security news for Vista

 

Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX was

gone in ~ 2 minutes...

 

Yes, Linux is very secure, but that report isn't all that bad for Windows.

 

--

 

Dustin Harper

dharper@vistarip.com

http://www.vistarip.com | Vista Resource & Information Page

 

 

"nospam" <nospam@nospam.net> wrote in message

news:47eed7c8$0$30700$4c368faf@roadrunner.com...

> Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking

> contestContestant overcomes bout of 'hacktile dysfunction'

> By Dan Goodin in Vancouver → More by this author

> Published Saturday 29th March 2008 21:27 GMT

>

> --------------------------------------------------------------------------------

>

> CanSecWest A laptop running a fully patched version of Microsoft's Vista

> operating system was the second and final machine to fall in a hacking

> contest that pitted the security of Windows, OS X and Ubuntu Linux. With

> both a Windows and Mac machine felled, only the Linux box remained

> standing following the three-day competition.

>

> Shane Macaulay, who played a hand bringing down a Mac during last year's

> Pwn2Own contest, defeated the Vista machine using a previously unknown

> vulnerability in Adobe Flash. On final day of the CanSecWest conference in

> Vancouver, Macaulay spent the better part of four hours trying to get the

> exploit to work. (The delay prompted one spectator to playfully dub the

> difficulty "hacktile dysfunction.")

>

> A MacBook Pro running a fully patched version of Leopard was the first to

> drop out during day two of the race, when researchers from Independent

> Security Evaluators demonstrated a previously unknown vulnerability in

> Apple's Safari browser. With brand new boxes running both Ubuntu and Vista

> remaining, Macaulay spent day three switching back and forth between the

> two machines, trying to get his Flash exploit to execute properly. He was

> assisted by Alex Sotirov, a security researcher at VMware.

>

> Initially thwarting Macaulay's efforts was the recently released Service

> Pack 1 for Vista, which he had neglected to install when testing the Flash

> exploit in the days leading up to the contest. Per the contest rules, each

> target machine had to be fully patched, and when the researcher first ran

> the code during the competition, new page protections added by Microsoft's

> security team prevented the exploit from properly executing.

>

> "They had done some stuff in Vista to prohibit this form of attack from

> being successful on third party software," Macaulay said minutes after he

> finally commandeered the Fujitsu U810 laptop. "We had to do some porting

> to get around that issue."

>

> Macaulay and Sotirov fashioned some javascript to circumvent the new

> measure, a feat that effectively allows them "to render that protection

> ineffective," Macaulay said.

>

> It also allows them to pocket a $5,000 bounty from Tipping Point's Zero

> Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would

> probably sell the machine, which he and Sotirov autographed with a black

> Sharpie pen, on eBay.

>

> Under contest rules, qualifying exploits on day one had to target default

> installations of the operating system itself and winners were allowed to

> walk away with the hacked box and a $20,000 bounty. Contest organizers

> gradually expanded the eligible attack surface on days two and three by

> allowing an vulnerabilities in an increasing number of third party

> applications. The bounty dropped to $10,000 on day 2 and $5,000 on day

> three. No one bothered competing on day one.

>

> Plenty of commentators have made hay of the MacBook Pro being the first to

> exit the race, and Linux zealots are sure to conclude the contest results

> prove the superiority of that platform. Maybe. But that's not how it looks

> to Macaulay, who says with a few hours of tweaking, his exploit will also

> work on OS X and Linux.

>

> The better take-away is that exploits like these are a fact of life for

> everyone no matter what kind of machine they choose (are you listening,

> Mac Guy?). Another lesson: just as quickly as Microsoft or any other

> developer adds new measures like page protection to their code base,

> hackers, ethical and otherwise, are find ways to work around them.

>

> "Nobody can do anything about it, because you're always going to be

> installing something" that will bypass security, Macaulay, who wore torn

> blue jeans and a Puma jogging jacket, said with a shrug. "If it's not

> Java, it'll be something else." ®

[Guest DevilsPGD]

Re: Bad security news for Vista

 

In message <47eed7c8$0$30700$4c368faf@roadrunner.com> nospam

<nospam@nospam.net> wrote:

>Plenty of commentators have made hay of the MacBook Pro being the first

>to exit the race, and Linux zealots are sure to conclude the contest

>results prove the superiority of that platform. Maybe. But that's not

>how it looks to Macaulay, who says with a few hours of tweaking, his

>exploit will also work on OS X and Linux.

 

This is really the crux of it, all three OSes survived at the core

level, OSX fell due to built-in software, without the user authorizing

specific software installation.

 

News that third party software might have vulnerabilities that can

compromise the user account running the software isn't really news at

all -- If day #3 is included, day #4 should be "hack the machine with

the administrator/root password and physical access"

[Guest Howard Swope]

Re: Bad security news for Vista

 

I understand that if you unplug a linux machine it will continue to work,

where both the Mac and Windows machine require power...

 

"Dustin Harper" <dharper@vistarip.com> wrote in message

news:DA91C1BA-651B-4C40-BCDD-057FFCCFBCF9@microsoft.com...

> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX

> was gone in ~ 2 minutes...

>

> Yes, Linux is very secure, but that report isn't all that bad for Windows.

>

> --

>

> Dustin Harper

> dharper@vistarip.com

> http://www.vistarip.com | Vista Resource & Information Page

>

>

> "nospam" <nospam@nospam.net> wrote in message

> news:47eed7c8$0$30700$4c368faf@roadrunner.com...

>> Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking

>> contestContestant overcomes bout of 'hacktile dysfunction'

>> By Dan Goodin in Vancouver → More by this author

>> Published Saturday 29th March 2008 21:27 GMT

>>

>> --------------------------------------------------------------------------------

>>

>> CanSecWest A laptop running a fully patched version of Microsoft's Vista

>> operating system was the second and final machine to fall in a hacking

>> contest that pitted the security of Windows, OS X and Ubuntu Linux. With

>> both a Windows and Mac machine felled, only the Linux box remained

>> standing following the three-day competition.

>>

>> Shane Macaulay, who played a hand bringing down a Mac during last year's

>> Pwn2Own contest, defeated the Vista machine using a previously unknown

>> vulnerability in Adobe Flash. On final day of the CanSecWest conference

>> in Vancouver, Macaulay spent the better part of four hours trying to get

>> the exploit to work. (The delay prompted one spectator to playfully dub

>> the difficulty "hacktile dysfunction.")

>>

>> A MacBook Pro running a fully patched version of Leopard was the first to

>> drop out during day two of the race, when researchers from Independent

>> Security Evaluators demonstrated a previously unknown vulnerability in

>> Apple's Safari browser. With brand new boxes running both Ubuntu and

>> Vista remaining, Macaulay spent day three switching back and forth

>> between the two machines, trying to get his Flash exploit to execute

>> properly. He was assisted by Alex Sotirov, a security researcher at

>> VMware.

>>

>> Initially thwarting Macaulay's efforts was the recently released Service

>> Pack 1 for Vista, which he had neglected to install when testing the

>> Flash exploit in the days leading up to the contest. Per the contest

>> rules, each target machine had to be fully patched, and when the

>> researcher first ran the code during the competition, new page

>> protections added by Microsoft's security team prevented the exploit from

>> properly executing.

>>

>> "They had done some stuff in Vista to prohibit this form of attack from

>> being successful on third party software," Macaulay said minutes after he

>> finally commandeered the Fujitsu U810 laptop. "We had to do some porting

>> to get around that issue."

>>

>> Macaulay and Sotirov fashioned some javascript to circumvent the new

>> measure, a feat that effectively allows them "to render that protection

>> ineffective," Macaulay said.

>>

>> It also allows them to pocket a $5,000 bounty from Tipping Point's Zero

>> Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would

>> probably sell the machine, which he and Sotirov autographed with a black

>> Sharpie pen, on eBay.

>>

>> Under contest rules, qualifying exploits on day one had to target default

>> installations of the operating system itself and winners were allowed to

>> walk away with the hacked box and a $20,000 bounty. Contest organizers

>> gradually expanded the eligible attack surface on days two and three by

>> allowing an vulnerabilities in an increasing number of third party

>> applications. The bounty dropped to $10,000 on day 2 and $5,000 on day

>> three. No one bothered competing on day one.

>>

>> Plenty of commentators have made hay of the MacBook Pro being the first

>> to exit the race, and Linux zealots are sure to conclude the contest

>> results prove the superiority of that platform. Maybe. But that's not how

>> it looks to Macaulay, who says with a few hours of tweaking, his exploit

>> will also work on OS X and Linux.

>>

>> The better take-away is that exploits like these are a fact of life for

>> everyone no matter what kind of machine they choose (are you listening,

>> Mac Guy?). Another lesson: just as quickly as Microsoft or any other

>> developer adds new measures like page protection to their code base,

>> hackers, ethical and otherwise, are find ways to work around them.

>>

>> "Nobody can do anything about it, because you're always going to be

>> installing something" that will bypass security, Macaulay, who wore torn

>> blue jeans and a Puma jogging jacket, said with a shrug. "If it's not

>> Java, it'll be something else." ®

>

[Guest Zootal]

Re: Bad security news for Vista

 

It's better then that. When the power goes off, my linux machine powers my

entire house :D

 

"Howard Swope" <howard_swopeAThms3DOTcom> wrote in message

news:u7C%23RrhkIHA.2304@TK2MSFTNGP05.phx.gbl...

>I understand that if you unplug a linux machine it will continue to work,

>where both the Mac and Windows machine require power...

>

[Guest Chris Cowles]

Re: Bad security news for Vista

 

"Dustin Harper" <dharper@vistarip.com> wrote in message news:DA91C1BA-651B-4C40-BCDD-057FFCCFBCF9@microsoft.com...

> Yes, Linux is very secure, but that report isn't all that bad for Windows.

>> ... But that's not how it looks to Macaulay, who says with a few hours

>> of tweaking, his exploit will also work on ... Linux.

[Guest miso@sushi.com]

Re: Bad security news for Vista

 

On Mar 29, 6:45 pm, "Dustin Harper" <dhar...@vistarip.com> wrote:

> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX was

> gone in ~ 2 minutes...

>

> Yes, Linux is very secure, but that report isn't all that bad for Windows.

>

> --

>

> Dustin Harper

> dhar...@vistarip.comhttp://www.vistarip.com| Vista Resource & Information Page

>

> "nospam" <nos...@nospam.net> wrote in message

>

> news:47eed7c8$0$30700$4c368faf@roadrunner.com...

>

> > Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking

> > contestContestant overcomes bout of 'hacktile dysfunction'

> > By Dan Goodin in Vancouver �$B"*�(B More by this author

> > Published Saturday 29th March 2008 21:27 GMT

>

> > --------------------------------------------------------------------------------

>

> > CanSecWest A laptop running a fully patched version of Microsoft's Vista

> > operating system was the second and final machine to fall in a hacking

> > contest that pitted the security of Windows, OS X and Ubuntu Linux. With

> > both a Windows and Mac machine felled, only the Linux box remained

> > standing following the three-day competition.

>

> > Shane Macaulay, who played a hand bringing down a Mac during last year's

> > Pwn2Own contest, defeated the Vista machine using a previously unknown

> > vulnerability in Adobe Flash. On final day of the CanSecWest conference in

> > Vancouver, Macaulay spent the better part of four hours trying to get the

> > exploit to work. (The delay prompted one spectator to playfully dub the

> > difficulty "hacktile dysfunction.")

>

> > A MacBook Pro running a fully patched version of Leopard was the first to

> > drop out during day two of the race, when researchers from Independent

> > Security Evaluators demonstrated a previously unknown vulnerability in

> > Apple's Safari browser. With brand new boxes running both Ubuntu and Vista

> > remaining, Macaulay spent day three switching back and forth between the

> > two machines, trying to get his Flash exploit to execute properly. He was

> > assisted by Alex Sotirov, a security researcher at VMware.

>

> > Initially thwarting Macaulay's efforts was the recently released Service

> > Pack 1 for Vista, which he had neglected to install when testing the Flash

> > exploit in the days leading up to the contest. Per the contest rules, each

> > target machine had to be fully patched, and when the researcher first ran

> > the code during the competition, new page protections added by Microsoft's

> > security team prevented the exploit from properly executing.

>

> > "They had done some stuff in Vista to prohibit this form of attack from

> > being successful on third party software," Macaulay said minutes after he

> > finally commandeered the Fujitsu U810 laptop. "We had to do some porting

> > to get around that issue."

>

> > Macaulay and Sotirov fashioned some javascript to circumvent the new

> > measure, a feat that effectively allows them "to render that protection

> > ineffective," Macaulay said.

>

> > It also allows them to pocket a $5,000 bounty from Tipping Point's Zero

> > Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would

> > probably sell the machine, which he and Sotirov autographed with a black

> > Sharpie pen, on eBay.

>

> > Under contest rules, qualifying exploits on day one had to target default

> > installations of the operating system itself and winners were allowed to

> > walk away with the hacked box and a $20,000 bounty. Contest organizers

> > gradually expanded the eligible attack surface on days two and three by

> > allowing an vulnerabilities in an increasing number of third party

> > applications. The bounty dropped to $10,000 on day 2 and $5,000 on day

> > three. No one bothered competing on day one.

>

> > Plenty of commentators have made hay of the MacBook Pro being the first to

> > exit the race, and Linux zealots are sure to conclude the contest results

> > prove the superiority of that platform. Maybe. But that's not how it looks

> > to Macaulay, who says with a few hours of tweaking, his exploit will also

> > work on OS X and Linux.

>

> > The better take-away is that exploits like these are a fact of life for

> > everyone no matter what kind of machine they choose (are you listening,

> > Mac Guy?). Another lesson: just as quickly as Microsoft or any other

> > developer adds new measures like page protection to their code base,

> > hackers, ethical and otherwise, are find ways to work around them.

>

> > "Nobody can do anything about it, because you're always going to be

> > installing something" that will bypass security, Macaulay, who wore torn

> > blue jeans and a Puma jogging jacket, said with a shrug. "If it's not

> > Java, it'll be something else." ®

 

I really wish there was a way to stop websites from using flash. I

can't think of a more useless program, not to mention it is

proprietary. I use firefox to block flash since many websites are

using flash for adverts.

[Guest John Barnes]

Re: Bad security news for Vista

 

Just use IE64. Except for the nag message at the top of the screen, it works

fine.

 

 

<miso@sushi.com> wrote in message

news:1c29448f-1a2b-4179-b75a-316874ff7836@u10g2000prn.googlegroups.com...

> On Mar 29, 6:45 pm, "Dustin Harper" <dhar...@vistarip.com> wrote:

>> Yea, but due to a vulnerability in Flash, not Microsoft's code. And OSX

>> was

>> gone in ~ 2 minutes...

>>

>> Yes, Linux is very secure, but that report isn't all that bad for

>> Windows.

>>

>> --

>>

>> Dustin Harper

>> dhar...@vistarip.comhttp://www.vistarip.com| Vista Resource & Information

>> Page

>>

>> "nospam" <nos...@nospam.net> wrote in message

>>

>> news:47eed7c8$0$30700$4c368faf@roadrunner.com...

>>

>> > Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking

>> > contestContestant overcomes bout of 'hacktile dysfunction'

>> > By Dan Goodin in Vancouver �$B"*�(B More by this author

>> > Published Saturday 29th March 2008 21:27 GMT

>>

>> > --------------------------------------------------------------------------------

>>

>> > CanSecWest A laptop running a fully patched version of Microsoft's

>> > Vista

>> > operating system was the second and final machine to fall in a hacking

>> > contest that pitted the security of Windows, OS X and Ubuntu Linux.

>> > With

>> > both a Windows and Mac machine felled, only the Linux box remained

>> > standing following the three-day competition.

>>

>> > Shane Macaulay, who played a hand bringing down a Mac during last

>> > year's

>> > Pwn2Own contest, defeated the Vista machine using a previously unknown

>> > vulnerability in Adobe Flash. On final day of the CanSecWest conference

>> > in

>> > Vancouver, Macaulay spent the better part of four hours trying to get

>> > the

>> > exploit to work. (The delay prompted one spectator to playfully dub the

>> > difficulty "hacktile dysfunction.")

>>

>> > A MacBook Pro running a fully patched version of Leopard was the first

>> > to

>> > drop out during day two of the race, when researchers from Independent

>> > Security Evaluators demonstrated a previously unknown vulnerability in

>> > Apple's Safari browser. With brand new boxes running both Ubuntu and

>> > Vista

>> > remaining, Macaulay spent day three switching back and forth between

>> > the

>> > two machines, trying to get his Flash exploit to execute properly. He

>> > was

>> > assisted by Alex Sotirov, a security researcher at VMware.

>>

>> > Initially thwarting Macaulay's efforts was the recently released

>> > Service

>> > Pack 1 for Vista, which he had neglected to install when testing the

>> > Flash

>> > exploit in the days leading up to the contest. Per the contest rules,

>> > each

>> > target machine had to be fully patched, and when the researcher first

>> > ran

>> > the code during the competition, new page protections added by

>> > Microsoft's

>> > security team prevented the exploit from properly executing.

>>

>> > "They had done some stuff in Vista to prohibit this form of attack from

>> > being successful on third party software," Macaulay said minutes after

>> > he

>> > finally commandeered the Fujitsu U810 laptop. "We had to do some

>> > porting

>> > to get around that issue."

>>

>> > Macaulay and Sotirov fashioned some javascript to circumvent the new

>> > measure, a feat that effectively allows them "to render that protection

>> > ineffective," Macaulay said.

>>

>> > It also allows them to pocket a $5,000 bounty from Tipping Point's Zero

>> > Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he

>> > would

>> > probably sell the machine, which he and Sotirov autographed with a

>> > black

>> > Sharpie pen, on eBay.

>>

>> > Under contest rules, qualifying exploits on day one had to target

>> > default

>> > installations of the operating system itself and winners were allowed

>> > to

>> > walk away with the hacked box and a $20,000 bounty. Contest organizers

>> > gradually expanded the eligible attack surface on days two and three by

>> > allowing an vulnerabilities in an increasing number of third party

>> > applications. The bounty dropped to $10,000 on day 2 and $5,000 on day

>> > three. No one bothered competing on day one.

>>

>> > Plenty of commentators have made hay of the MacBook Pro being the first

>> > to

>> > exit the race, and Linux zealots are sure to conclude the contest

>> > results

>> > prove the superiority of that platform. Maybe. But that's not how it

>> > looks

>> > to Macaulay, who says with a few hours of tweaking, his exploit will

>> > also

>> > work on OS X and Linux.

>>

>> > The better take-away is that exploits like these are a fact of life for

>> > everyone no matter what kind of machine they choose (are you listening,

>> > Mac Guy?). Another lesson: just as quickly as Microsoft or any other

>> > developer adds new measures like page protection to their code base,

>> > hackers, ethical and otherwise, are find ways to work around them.

>>

>> > "Nobody can do anything about it, because you're always going to be

>> > installing something" that will bypass security, Macaulay, who wore

>> > torn

>> > blue jeans and a Puma jogging jacket, said with a shrug. "If it's not

>> > Java, it'll be something else." ®

>

> I really wish there was a way to stop websites from using flash. I

> can't think of a more useless program, not to mention it is

> proprietary. I use firefox to block flash since many websites are

> using flash for adverts.

[Guest DevilsPGD]

Re: Bad security news for Vista

 

In message

<1c29448f-1a2b-4179-b75a-316874ff7836@u10g2000prn.googlegroups.com>

miso@sushi.com wrote:

>I really wish there was a way to stop websites from using flash.

 

Don't install Flash and you'll find the problem goes away.