Linux ignored, not immune, says hacker contest sponsor

And Vista SP1 'put a kink' in Friday's attack

People shouldn't read anything into the fact that of the three laptops set up for last week's "PWN to OWN" hack challenge, the only one left standing was running Linux, said the security expert who oversaw the contest.

"There was just no interest in Ubuntu," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."

Just because the laptop -- a Sony running the Ubuntu 7.10 distribution of Linux -- was untouched doesn't mean that the operating system is any more secure than either Mac OS X or Windows Vista, both of which fell to attacks.

"It was actually a lack of interest" on the part of the PWN to OWN contestants, Forslof said. "[Shane Macaulay's] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows," she continued.

"Linux, it is what it is. The code is a lot more transparent. But vulnerabilities for Mac and Windows, those are the ones that are going to get the press," Forslof added.

Of the three notebooks, the first to go down was a MacBook Air. That machine was hacked last Thursday, the second day of the three-day challenge, by Charlie Miller, using a zero-day vulnerability in Safari. Friday, Macaulay breached a Windows Vista SP1-powered Fujitsu using a flaw in Adobe's Flash.

In both cases, the vulnerabilities were exchanged for cash prizes -- $10,000 for Miller, half that for Macaulay -- and acquired by TippingPoint's bug bounty program, Zero Day Initiative. The bugs have been reported to Apple Inc. and Adobe Systems Inc., respectively, so that the vulnerabilities can be closed.

By design, PWN to OWN's first day was reserved for exploits of remote code vulnerabilities on the operating systems themselves. No one managed to crack a computer that day. It wasn't until the notebooks' attack exposure was expanded -- first to any client-side application installed by default with the operating system, then to a larger group of third-party applications added to the machines -- that the MacBook Air and Fujitsu dropped.

"I really wasn't expecting anything that first day," Forslof said. Not only are vulnerabilities meeting PWN to OWN's first-day criteria harder to find and exploit, but they're also probably worth a lot more than the $20,000 TippingPoint offered that day, Forslof said. "We're talking about a worm-class issue here," she said.

"What a contest like this does show," Forslof said, "is that vulnerabilities are definitely moving up the stack."

That trend, from attacking the operating system to attacking applications, particularly those installed on desktop clients, has been building for months. The vast majority of vulnerabilities found, and when found then exploited, are now in client-side applications such as Internet Explorer, Microsoft Word, Firefox, Adobe Reader and others.

Part of that move toward applications, Forslof said, has been forced on hackers as operating systems have become more secure. This year's contest put that into relief when Macaulay initially had a tough time breaking into the Fujitsu notebook running Vista Service Pack 1.

"SP1 was a huge challenge to him," said Forslof. "When he walked in, he was strutting, he was going to own [that machine], he was going to break it in two minutes, he was going to wow the crowd."

That didn't happen, at least not immediately. Macaulay had prepared an exploit, said Forslof, but he had not tested it against Vista's SP1, which was released to the general public only two weeks ago.

"Microsoft has built a lot of things into its OS to make exploiting vulnerabilities more challenging," Forslof said, ticking off several defensive technologies, including ASLR (address space layout randomization). "Shane had to use some tricks to get that exploit to work on SP1."

Among those tricks, said Forslof, was Macaulay's use of Java and JavaScript "to get some stuff going." She declined to be more specific, citing TippingPoint's policy of not divulging details of the vulnerabilities exploited at PWN to OWN until the affected vendor issues a patch.

"This is where a contest gets interesting," she said. "Vulnerabilities and exploits are hand in hand, of course, but they're two different animals. If Shane had taken this to another platform, it would have been a no-brainer."

According to Forslof, the Flash vulnerability Macaulay exploited on the Vista SP1 notebook is multiplatform and is present, for example, on both Mac OS X and Linux.

Macaulay's difficulty in bringing down the Fujitsu was "immensely fascinating," added Forslof, and provided an opportunity to observe researchers working together, under pressure, as they tried one thing after another until they found an exploit solution.

"The sheer amount of difficulty [he had] exploiting that Flash vulnerability shows that Microsoft has started to make it more difficult for the bad guys," Forslof said when asked to draw some conclusions from PWN to OWN.

"Some of [Microsoft's] defense-in-depth strategies put a kink in the exploit. Everything is breakable, everything is exploitable, but what we'd like to do is narrow the group of people who can do it by making it harder for them," Forslof said.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon