OS X and Windows Vista Are Cracked in Competition, but Ubuntu Survives

The second edition of the PWN to OWN competition, during the CanSecWest security conference in Vancouver, took place from Wednesday to Friday, March 26-28, 2008. Three laptops were in the contest: a MacBook Air with Mac OS X, a Sony VAIO with Ubuntu Linux and a Fujitsu with Windows Vista Ultimate SP1. The rule was simple for those who participate in this type of trial by fire: use an unknown flaw, win the right to take the machine and, depending on the phase, a cash prize. At the end of the three days, only the VAIO with Ubuntu remained intact.

The organization was handled by TippingPoint’s Zero Day Initiative. It’s the program that buys information about vulnerabilities not yet disclosed, protects its customers with signatures and policies, and coordinates responsible disclosure with manufacturers so that fixes come out at the right time. The competition proposal follows this line, rewarding those who find the flaw and requiring that details be delivered to the team for proper notification to suppliers.

On the first day only remote attacks counted, purely over network, with a high prize planned for those who could achieve the feat. None of the three systems fell in this phase. On the second day, everyday applications came into play, like browser, email and messenger. It took only a few minutes after opening for the MacBook Air to be compromised by a Safari vulnerability. The attack used a prepared website to take control of the machine. The exploitation was presented by Charlie Miller and the Independent Security Evaluators team, well-known names in this circuit.

On Friday, the rule allowed exploiting browser plugins and other common programs. The target that gave in was Windows Vista, because of a flaw in Adobe Flash Player. Shane Macaulay conducted the attack, with support from Alexander Sotirov and Derek Callaway. The team had been trying since the previous evening until they managed to close the exploitation chain that earned them the laptop and the cash prize offered for the stage.

Ubuntu was the only one to cross the three days without compromise. The organizers informed that the three systems had the latest versions and all available patches, running with default configurations. This helps understand part of the result. The exploitations that appeared hit the Mac browser and a popular Windows plugin, components that expand the attack surface. In competition scenarios, any implementation or integration error becomes an entry door.

You can’t conclude that Ubuntu is invulnerable. What you can say, from the tests of this edition, is that a combination of architecture, security standards and software choices helped the system resist in that specific context. For manufacturers, the message remains about the importance of hardening browsers and treating the most common dependencies with priority. For users, it’s worth keeping everything updated, choosing plugins and extensions well and remembering that the weak link usually appears outside the system core.

If you want to read the original report, the Linha Defensiva article covered the competition and brings more details: http://linhadefensiva.uol.com.br/2008/03/pwn-to-own-2008/