by Michael Smith (Veshengro)
March 2008 saw the MacBook Air hacked through a Safari browser at the CanSecWest security conference. But before the week ended, Microsoft's Vista Ultimate also fell victim to hackers in the Pwn to Own challenge.
CanSecWest organizers offered a Fujitsu U810 laptop running Vista Ultimate SP1 to any security researcher who could find a way to breach security and gain access to the contents of system files using a previously undisclosed zero-day attack.
At the end of the last day of the three-day hacker challenge, which was sponsored by 3Com's TippingPoint, only the Sony VAIO laptop running Ubuntu (Linux) was left standing.
Shifting Rules
The first day of the contest, hackers were only allowed to hack into the computers over a network. No one was able to claim the prizes. On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages.
That rule change made it possible for a researcher at Independent Security Evaluators to hack the MacBook Air using the Safari browser within two minutes.
But the Vista and Ubuntu laptops seemingly remained airtight. On the third day of the contest, the judges again broadened the rules, opening up the scope beyond just default installed applications on those laptops to any popular third-party application, such as Adobe's Acrobat Reader, the Firefox browser, and voice-over-IP program Skype.
One of the contestants installed Adobe Flash on the laptops and proceeded to compromise the system. He had some help from Security Objectives colleague and an independent researcher.
Means Justifies the End
Client-side vulnerabilities like the ones exploited in the hacking contest are an increasingly popular attack vector. It is easy to protect a single server that is guarded by a well-designed fortress of controls, but it is a nightmare to secure thousands of client-side applications under the control of end users who are not (computer) security savvy.
© April 2008