Vista notebook falls in hacker challenge
Follows MacBook Air in 'Pwn to Own' contest; hacker exploits flaw in Flash to win $5,000
Computerworld - A security researcher on Friday exploited a critical bug in Adobe Systems Inc.'s Flash Player to hack a notebook running Windows Vista Ultimate, the second machine to fall in this year's "Pwn to Own" challenge.
The only unclaimed laptop of the original trio by the contest's end was a Sony Vaio running the Ubuntu distribution of Linux.
Shane Macaulay, a consultant at Security Objectives, claimed the $5,000 cash prize by breaking into a Fujitsu U810 running Windows Vista Ultimate SP1 late Friday. According to 3Com Inc.'s TippingPoint unit, which put up the prizes for the three-day hacker challenge at the CanSecWest conference, Macaulay exploited an unidentified zero-day vulnerability of the ubiquitous Flash Player.
Macaulay, who was assisted by Derek Callaway, also of Security Objectives, and Alexander Sotirov, an independent researcher, was the second Pwn to Own winner. On Thursday, Independent Security Evaluators LLC analyst Charlie Miller hacked a MacBook Air using a vulnerability in Apple Inc.'s Safari browser to win the notebook and a $10,000 check from TippingPoint.
Austin, Texas-based TippingPoint, perhaps best known for its Zero Day Initiative (ZDI) bug bounty program, announced Macaulay's win in a post to its blog.
Like Miller, Macaulay was bound by a nondisclosure agreement with the security firm, which under the Pwn to Own rules acquired the vulnerability its ZDI. TippingPoint said it has reported the bug to Adobe. "Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability," the company said in the blog post.
The hacking challenge, which kicked off last Wednesday, expanded the notebooks' exposure to attack after the first and second days. No one, however, walked away with the first day's $20,000 prize, which had required that researchers break into one of the laptops using a remote code-execution exploit that didn't rely on any user interaction. Miller won his $10,000 and the MacBook Air after attacks were allowed on applications installed by default and in which user actions could be replicated.
On Friday, when Macaulay took down Windows Vista, contest organizers added a number of popular third-party client applications to the remaining two notebooks, including Adobe's Acrobat Reader and Flash Player, the Firefox browser, and voice-over-IP program Skype.
Adobe patched Flash Player several times last year. The most recent large-scale security update was issued last December to plug nine holes in the software.
Macaulay also had a part in 2007's inaugural Pwn to Own contest, which pitted a single computer, a MacBook Pro, against all comers for a $10,000 prize. Although Dino Dai Zovi provided the QuickTime exploit that hacked the machine last year, Macaulay served as his on-site partner.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts