[ISN] So what's the easiest box to hack - Vista, Ubuntu or OS X?

From: InfoSec News (alerts@private)
Date: Wed Mar 19 2008 - 22:13:17 PST


http://www.theregister.co.uk/2008/03/19/pwn2own_contest_returns/

By Dan Goodin in San Francisco
The Register
19th March 2008

Tired of all the knee-jerk banter from fanboys about whose operating 
system is the most secure? So are the organizers of the CanSecWest 
security conference, which will be held in Vancouver later this month. 
And with a contest awarding as much as $25,000 worth of prizes, they're 
likely to breathe fresh life into a stale debate.

This year's Pwn2Own competition will place three brand-new, fully 
patched laptops side by side: a Fujitsu U810 running Vista Ultimate, a 
Vaio VGN-TZ37Cn running Ubuntu 7.10 and a MacBook Air running Leopard. 
The first person to remotely run code on each one gets to take the 
machine home, and is automatically entered into the running for a 
$25,000 award from TippingPoint, whose Zero Day Initiative pays bounties 
to researchers for responsibly disclosing vulnerabilities.

At last year's Pwn2Own contest, conference organizers challenged 
attendees to hack into one of two fully patched MacBookPros to claim the 
machine and a $10,000 bounty from TippingPoint. Security guru Dino Dai 
Zovi, spent less than 12 hours doing just that, crafting a QuickTime 
exploit that allowed him to take complete control of the machine.

CanSecWest's Pwn2Own contests are useful because they allow us to 
isolate the technical strengths and weaknesses of a given platform from 
its popularity. Acrimonious debate has fomented for years about whether 
the high number of real-world Windows exploits - compared to those of OS 
X, Linux and other operating systems - is a natural consequence of 
having a 90-percent chunk of the market or the result of sloppy and 
insecure coding practices at Microsoft.

There's at least some merit to the argument that organized cyber crime 
gangs - just like makers of popular games Half-Life 2 and Crysis - don't 
write for the Mac and Linux because the smaller market shares make it 
impossible to get a return on the investment. The Pwn2Own contest, by 
offering a considerable incentive for exploits of these platforms, helps 
to neutralize the economic variable.

"These computers are REAL and FULLY patched," conference organizer 
Dragos Ruiu wrote in an email announcing the rules. "All third party 
software is widely used. There are no imitation vulnerabilities. Any 
exploit successfully used in this contest would also compromise a 
significant percentage of the internet connected hosts."

The rules for this year's contest include:

    * Limit one laptop per contestant
    * The same vulnerability can't be used against more than one box
    * Attacks will be performed using a cross-over cable (with the 
      attacker controlling the default route) or using radio-frequency 
      by special arrangement.
    * Winning exploits must target a previously unknown vulnerability;  
      vulns that have already been reported to the affected software 
      maker or a third party are not eligible.

Each of the machines will include widely deployed applications, 
including web browsers (Internet Explorer, Safari, Konqueror and 
Firefox), instant messengers (AIM, MSN, Yahoo, Adium, Skype and Pigdin) 
and email clients (Outlook, Mail.app, Thunderbird, kmail, mutt).

El Reg will be attending CanSecWest, which runs from March 26-29. We are 
willing to trade beer for scoops or livers.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Mar 19 2008 - 22:24:19 PST