Hackers to challenge Windows, Mac OS X and Linux next week in Security

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Sun, 06 Apr 2008 02:27:05 EDT

astirusty : Its all well and good that Adobe is going fix their flaw(s) in Flash; however, that does nothing to address the problem from happening again with another application. Same goes for Apple fixing their flaw(s) in Safari**; the potential for another application (existing or future) will still be there. Both of these flaws were merely entry points for the hacks (aka chinks in the armor), which ultimately led to the systems being Powned. In short, the potential for similar attacks will still be present, so long as no changes are made to the respective OSs.

The problem with the argument that "It's the applications, stupid" is - it is the OS's (Operating System's) job to control/manage/supervisor/allocate the system's resources and to control/manage/supervisor the applications running on the system, along with reining in ab-users. When the OS turns operation of (responsibilities for) the system over to applications (as in allowing an application to elevate privileges or data to be executed as instructions), it is leaving the system vulnerable to abuse and attacks. For the OS to do so is a risk given there is no way for the OS to know whether or not the application being run has a coding problem that could open the system up to hacking. Ultimately the security of the system is the responsibility of the OS (ignoring for the moment the human admin factor and applications designed to assist with security aka firewalls, anti-virus, ect).

(** Which now appears to be a flaw with Quicktime's Java handling.)
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Sat, 05 Apr 2008 14:55:49 EDT

daveinpoway : Here's another write-up on the security problems applications can cause: »weblog.infoworld.com/securityadv···ica.html

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Fri, 04 Apr 2008 19:09:06 EDT

dave : Not only that, but Adobe seems to think the flaw was in Adobe application code, and not in the OS :-)

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Fri, 04 Apr 2008 11:14:31 EDT

daveinpoway : It turns out Adobe was aware of the flaw that did in the Vista laptop: »www.computerworld.com/action/art···&nlid=37

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Fri, 04 Apr 2008 08:53:56 EDT

dave :

said by astirusty :

I read your reply as saying DEP should always be ON, meaning programs can't turn DEP off at their discretion. However, based on your experience some programs won't work with DEP turned ON.

Or to put it another way, I think that programs should be able to disable DEP, though I don't like it very much.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Fri, 04 Apr 2008 00:50:53 EDT

astirusty :

said by dave :

So, in short, we agree on the principle that it would be better if DEP were always on, but recognize that it is not currently achieveable.

I read Steve's reply to my question (see below) as saying a program should be able to disable DEP, meaning that DEP is not always ON. Which means the OS is turning one aspect of security control over to a possibly hackable program. I read your reply as saying DEP should always be ON, meaning programs can't turn DEP off at their discretion. However, based on your experience some programs won't work with DEP turned ON.

This was my question to Steve: "Are you suggesting that programs should be allowed to disable DEP and execute unknown data in system level regions of memory as if the data were known safe instructions?"
Steve's reply: "Yes, as a matter of fact I do, though I don't like it very much. ..."
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 23:57:08 EDT

dave :

said by astirusty :

If by "two" you mean Dave, then you might note that he doesn't agree with you on being able to disable DEP. Meaning just because your an expert, doesn't

Funny, I thought we agreed.

said by Steve :

Yes, as a matter of fact I do, though I don't like it very much. There's enough software that simply won't function with DEP turned on that there must be a way to turn it off.

said by dave :

As it happens, I'd be broadly in favour of 'all DEP all the time', though as it happens that doesn't actually work at the moment.

So we both said that MS must not prevent users from turning off DEP because if they do so, things will break.

If that were not the case, I would be in favour of having DEP always on. Meanwhile, Steve doesn't much like programs being able to turn DEP off.

So, in short, we agree on the principle that it would be better if DEP were always on, but recognize that it is not currently achieveable.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 23:47:44 EDT

dave :

said by Link Logger :

How many other OSs can make that claim (...)

Any OS written by grown-ups. :-)

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 23:18:03 EDT

astirusty :

said by Link Logger :

What I'm saying is running some of those old applications isn't really optional for a company regardless of any security issues it might have. They simply can't afford anything other then the OS having backwards compatibility and that includes being able to disable modern security features if need be to run the legacy software.

Understood.
However, is it really justifiable to hold-back on implementing security features in a new OS to insure backward compatibility for one-off-products at the expense of those who are willing to migrate (upgrade) their applications to newer versions that do not require disabling or implementing of new security features?

Different way of looking at it: Why can't those who chose to run the non-compatible (older/outdated) applications keep running on their current OS, while others who need new security features move forward?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 23:04:19 EDT

astirusty :

said by Steve :

Two exceptionally experienced developers are telling you how operating systems and vulnerabilities work,

If by "two" you mean Dave, then you might note that he doesn't agree with you on being able to disable DEP. Meaning just because your an expert, doesn't necessarily mean your right. Ever heard the saying: It doesn't take a musician to know when a song sucks? Well, some of us may not be musicians but we know from many years of headaches, wasted money, time, and effort; that security is still lacking. The contest being discussed demonstrated that point quite well.

said by Steve :

and my history of pointing the finger accurately at Microsoft when they were responsible ought to speak for itself.

How about pointing out several of those occasions, because right now I am drawing a blank on those occasions.

said by Steve :

... but you're still on a religious crusade to ignore the evidence and blame the party you don't like. That's unprincipled or ignorant (I'll let you decide).

said by Steve :

Unlike those who prefer to bash this or that vendor, I'd prefer to learn from the experience to make the world safer. You, not so much.

Neither deserves a reply.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 22:15:23 EDT

Maxo :

said by Link Logger :

How many of the Unix GUI's are compatible from say something written 15 years ago (ie if I grab some old X11 code I wrote, will it run as is on a current Unix box running the latest OS)? Will my old X11 code run on a Apple OS X box (wow then I can say I'm an Apple coder :))

I know some old Java code I wrote will not work as the event model has changed since then (that code is a little older then 10 years maybe).

Blake

I have seen in many cases where old Linux code was working just fine on modern distros. Most problems deal with old code using old libraries. Depending on the library, getting the old library the code depends on may or may not be easy.
Of course OSX has not been around long enough for there to be cold that is that old.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 22:06:03 EDT

Link Logger :

said by astirusty :

I believe you missed the context of my reply, which dealt with security issues surrounding backward compatibility of OS having to run old applications. More to the point old applications that are network/internet capable (as in browsers, e-mail, ect). As pointed out there are old applications which do not work with newer OS security thinking/features. Perfect examples are applications that insist on being installed & run with admin (root) privileges.

What I'm saying is running some of those old applications isn't really optional for a company regardless of any security issues it might have. They simply can't afford anything other then the OS having backwards compatibility and that includes being able to disable modern security features if need be to run the legacy software. Certainly they will invest in mitigating what risk they can by whatever means possible but often the legacy software itself remains as is.

In today dollars it would easily cost over a hundred million to replace that pipeline system and even after spending the money its not guaranteed to work (building software is actually a risky business) and its not like they can just rewrite sections of the application whenever they feel like it as our research team that built it was a leading edge team (I was the only one who didn't have a PhD) and now they are panicked anyways as the last member of the team has retired and everyone else left over the years.

Blake
I worked in a research group where a couple of the guys had multiple PhDs, so the question was do you call them Dr Dr Jones or is one Dr sufficient?
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 21:46:12 EDT

Link Logger : How many of the Unix GUI's are compatible from say something written 15 years ago (ie if I grab some old X11 code I wrote, will it run as is on a current Unix box running the latest OS)? Will my old X11 code run on a Apple OS X box (wow then I can say I'm an Apple coder :))

I know some old Java code I wrote will not work as the event model has changed since then (that code is a little older then 10 years maybe).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 21:09:42 EDT

astirusty :

said by Link Logger :

Microsoft is amazing as I can take apps that I wrote almost 20 years ago and run them on Vista ... How many other OSs can make that claim ...

Ehhh, Unix.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 21:07:51 EDT

Steve :

said by astirusty :

Still trying to twist the outcome of the contest (aka finger pointing)? :huh:

Two exceptionally experienced developers are telling you how operating systems and vulnerabilities work, but you're still on a religious crusade to ignore the evidence and blame the party you don't like. That's unprincipled or ignorant (I'll let you decide).

I have no agenda on who gets the blame for any given thing - Apple, Adobe, Microsoft, Ubuntu, even me if I'm somehow the guy - and my history of pointing the finger accurately at Microsoft when they were responsible ought to speak for itself.

But the details matter when deciding who's culpable, because this is the same process that one goes through to stop it from happening again. Unlike those who prefer to bash this or that vendor, I'd prefer to learn from the experience to make the world safer. You, not so much.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 21:05:34 EDT

astirusty :

said by Link Logger :

Who cares about those, every application I've built over the last 20 years is still running. For example one of the largest natural gas pipeline companies in the world is still using the simulation system I designed and built almost 15 to operate and design their system.

I believe you missed the context of my reply, which dealt with security issues surrounding backward compatibility of OS having to run old applications. More to the point old applications that are network/internet capable (as in browsers, e-mail, ect). As pointed out there are old applications which do not work with newer OS security thinking/features. Perfect examples are applications that insist on being installed & run with admin (root) privileges.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 20:19:29 EDT

Link Logger :

said by astirusty :

Reality Check...
Windows 98, Windows 98se, Windows ME, Windows 2000, Windows XP, Windows Vista Cheetah/Puma, Jaguar, Panther, Tiger, Leopard

Who cares about those, every application I've built over the last 20 years is still running. For example one of the largest natural gas pipeline companies in the world is still using the simulation system I designed and built almost 15 to operate and design their system. The cost of that one system is way more then they will likely spend in thirty years on desktop OSs. In fact that one system is pretty well their whole company as it does forecasting, planning, operations, design and more. Other companies keep some older hardware/OS around to run some of the well test analysis software that I wrote almost 20 years ago as they can't find anything newer that is better (and in some cases its the only software that can do what it does). So for the corporate world apps like OSs, utilities are just supporting tools and upgrading those is relatively trivial, its the 'one of's' that define their product/company/processes that matter and those are more often then not what drive backwards compatibility requirements.

Microsoft is amazing as I can take apps that I wrote almost 20 years ago and run them on Vista, GUI and all (before 20 years ago I was a Unix dude, but made the jump when I saw how much better Windows handled devices then Unix from an applications developer perspective). How many other OSs can make that claim and that does mean something of value to corporations and users (might drive security guys nuts, but consumers are not call consumers for nothing and frankly they are the reality that drives this industry otherwise we would all be using Multics :)).

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 16:48:47 EDT

astirusty :

said by Steve :

And let's also forget that technical details matter, and that one should assess blame only where there is actual culpability.

Still trying to twist the outcome of the contest (aka finger pointing)? :huh:

How about "Security by Smoke & Mirrors" :p
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 16:36:37 EDT

astirusty :

said by dave :

Backward compatibility does not circumvent security features -

It does if the OS has to disable some security features so the outdated software will run.

said by dave :

turning off DEP is not an vulnerability in itself.

Unless its needed and it ain't on. ;)

said by dave :

5 to 10 years is pretty short in the lifetime of software, by the way.

Reality Check...
Windows 98, Windows 98se, Windows ME, Windows 2000, Windows XP, Windows Vista
Cheetah/Puma, Jaguar, Panther, Tiger, Leopard

said by dave :

You ( astirusty See Profile) think that that if DEP could not be disabled, apps would leap to fix themselves.

Based on past new OS releases (and even some updates) from both MS & Apple breaking 3rd party apps and even requiring firmware/hardware updates -- I sure do because that is what often happens.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 13:56:30 EDT

dave : And who's letting anyone off the hook?

I think that 3rd party vendors that have security holes should fix them pronto.

I think that OS vendors that have security holes should fix them pronto.

I think that it's necessary to first know whether you're dealing with an OS or app security hole.

And I also think that anyone with code that, intentionally or otherwise, requires DEP to be turned off, should be fixing that code pronto. (If 'intentional', then the fix is to mark the appropriate pages as executable).

I think the only point of disagreement is whether the OS vendor can force app code to instantly obey sound practice, by breaking the app code. You ( astirusty ) think that that if DEP could not be disabled, apps would leap to fix themselves. I think that if DEP could not be disabled, then OS sales would suffer, everyone would still be running the previous version of the OS (without DEP at all, or with DEP disabled), and we'd be less secure because of it.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 13:30:31 EDT

Steve :

said by astirusty :

I give up. :huh: Its clear that any reason to let OS and 3rd party vendors off the hook for repeated security failures is going to continue unabated.

And let's also forget that technical details matter, and that one should assess blame only where there is actual culpability.

"Security by pompous pronouncement" - I like it :-)

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 13:29:32 EDT

dave : Backward compatibility does not circumvent security features - turning off DEP is not an vulnerability in itself. Bugs in user code circumvent security features - buffer overflow is the vulnerability. Buffer overflow prevention is entirely under the control of the application writer.

5 to 10 years is pretty short in the lifetime of software, by the way.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 13:23:02 EDT

astirusty : I give up. :huh: Its clear that any reason to let OS and 3rd party vendors off the hook for repeated security failures is going to continue unabated.

As such:
-- let's just forget security features/capabilities like DEP, limiting user's privileges, any kind vetting of software (legit vs. fake), checking software for bugs (buffer overflows), installing software with minimal privileges vs. admin/root privileges, maintain backward compatibility with software that is 5-10 years old, etc. :(

-- let's just ignore the fact, open-source software faired better than commercial software and there might be financial reason as to why. :(

-- let's just quit pretending that security is a serious issue (aka medical records, finical information, personal information, ect) even an issue of national security (aka government/military information and infrastructure control/support). :(
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 13:02:19 EDT

astirusty :

said by dave :

Breaking backward compatibility with an unknown number of applications written by paying customers is the surest way to kill an operating system.

And continuing backward compatibility that circumvents security feature(s) is a good thing for an OS? Especially an OS that is prevalent to hacking due to market share and it being used by non-experts (common lay person)?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 11:27:38 EDT

Steve :

said by matunga :

Are you sure? :)

Yes, I know that, sorry for not using the subjunctive case:

said by me :

and were Vista to disallow turning off DEP

--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 11:20:51 EDT

dave : He said IF you could not disable DEP... he knows that you CAN disable DEP.

He also knows that you can set DEP to be on for everything, no exceptions. But that's the customer's choice, not Microsoft's.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 11:18:06 EDT

dave :

said by astirusty :

Of course, MS might have chosen not force the issue, since doing so would have impacted revenue (Vista sales).

Breaking backward compatibility with an unknown number of applications written by paying customers is the surest way to kill an operating system.

You write as if only software companies write software. This isn't true -- people that pay money to MS also write software, and there is no list of what software exists.

The situation is somewhat different to software that dicks around with kernel data structures; that is an esoteric past-time, and you can assume the number of affected software writers is rather smaller.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 11:09:55 EDT

matunga :

said by Steve :

The line-of-biz software mainly runs on Server 2003 (where we can turn off DEP), but there's a remote module used by the customer's customers - it's payroll software - and if Vista does not allow DEP to be turned off

Are you sure? :)

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 10:24:27 EDT

Steve :

Sorry to disagree, but I feel this kind of thinking is what is causing security problems.

You're suggesting that Microsoft should make security policy for everybody, and I'm not sure they should be doing this.

The line-of-biz software mainly runs on Server 2003 (where we can turn off DEP), but there's a remote module used by the customer's customers - it's payroll software - and if Vista does not allow DEP to be turned off, then Microsoft is telling a lot of people that their customers can't run Vista either.

So far the best reason not to run Vista is Vista itself, but I don't think they are well served by adding more reasons not to.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 10:12:42 EDT

astirusty :

said by Steve :

Yes, as a matter of fact I do, though I don't like it very much. There's enough software that simply won't function with DEP turned on that there must be a way to turn it off.

Sorry to disagree, but I feel this kind of thinking is what is causing security problems. If 3rd-party vendors wanted their applications to run on MS's newest OS (Vista) in which DEP could not be disabled; then they should have been forced to recode their programs to work with DEP on or languish away (sort like MS's stance on low-level access by Symantec's security products).

said by Steve :

I support some line-of-biz software that has some old components that will fail with DEP turned on, and there is nothing we can do but to turn it off. The vendor is working on it, and we understand that they're replacing the whole core that has the bad stuff, and some future release may allow us to turn it all back on.

Tough nuggies. The solution should have been for those stuck with that kind of software - not to upgrade to Vista (assuming DEP was forced/locked on). What your really saying is the majority of users should be forced to languish because some 3rd-parties failed to recode their products to work properly with DEP. Of course, MS might have chosen not force the issue, since doing so would have impacted revenue (Vista sales).
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 09:12:19 EDT

dave : The only similar phrase I found there was this:

system-level memory protection feature

It means "system-level feature" for "memory protection". That is to say, the feature is built into the system (infer "kernel") rather than some of the other related anti-hacking features that are handled by compilers.

But I can see how it can be misconstrued, in which case I apologize for the unduly harsh tone of my previous posting.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 09:06:40 EDT

astirusty :

said by dave :

What is a 'system level region of memory' ?

said by dave :

But let's not make up words like 'system level region of memory' that sound good but don't mean anything.

The wording is pretty concise version of MS's longer description of what memory areas DEP is used to protect.
See: »msdn2.microsoft.com/en-us/librar···553.aspx
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 08:35:50 EDT

dave :

said by astirusty :

Are you suggesting that programs should be allowed to disable DEP and execute unknown data in system level regions of memory as if the data were known safe instructions?

What is a 'system level region of memory' ?

There's VM owned by kernel mode and there's VM owned by user mode. We're talking about allowing user mode code to do things in user mode VM.

As it happens, I'd be broadly in favour of 'all DEP all the time', though as it happens that doesn't actually work at the moment (I tried enabling DEP for everything, well except for the tedious 'known unpackers' exception, no pun unintended -- and note that you can do the same, if you want your system to be more secure).

But let's not make up words like 'system level region of memory' that sound good but don't mean anything. The stacks and the heaps are in the process address space, owned by user mode, and they are controlled by user mode code executing in that address space.

There are also no 'known safe instructions' in user mode, as far as the kernel is concerned. With DEP, there are 'pages declared to contain instructions' and 'pages not declared to contain instructions'. No comment is made on safety.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 08:23:58 EDT

Steve :

said by astirusty :

Are you suggesting that programs should be allowed to disable DEP and execute unknown data in system level regions of memory as if the data were known safe instructions?

Yes, as a matter of fact I do, though I don't like it very much. There's enough software that simply won't function with DEP turned on that there must be a way to turn it off.

I support some line-of-biz software that has some old components that will fail with DEP turned on, and there is nothing we can do but to turn it off. The vendor is working on it, and we understand that they're replacing the whole core that has the bad stuff, and some future release may allow us to turn it all back on.

Windows cannot just decide that DEP is on all the time for everybody even though we wish they could, though I don't know what circumstances led to it being disabled here. Doesn't that require running as admin?

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 07:42:00 EDT

Maxo :

said by pclos user :

Would you really find some thing useful in this setting if Ubuntu had been hacked?

Yes, a security hole would have been discovered and subsequently patched.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 05:38:16 EDT

Link Logger : If I was going to whack a machine (not that I've ever done that sort of thing before), I wouldn't start by trying to whack the OS, I'd start by looking at what 'third party' type apps are running on it. Couple of reasons for this, first my goal is to execute some of my code on the system (ie how I own it) and so given the 'third party' app is already doing that (ie its running on the system I want to own), if I can get that app to run my code then I win. Browser attacks are the same thing, you go to a site, you download a file and your browser executes it, so think about it, if I can exploit something in the browser then its like building a trojan horse where they drive across town and pick it up for me and then take it into their fortification etc and I win but they did most of the grunt work. In short there are a couple of issues to deal with when owning a system. First you have to deliver your package, second you have to execute the package, third harvest the reward. So a browser based attack does steps one and two for you (ditto for a flash based attack really as its meant to go somewhere, get a file and execute it). The challenge is will the application have the permissions required to do what I want done (own the system usual requires some sort of admin privileges but sometimes you might want to just 'borrow' the machine). Now perhaps its a server I want, now its typically not going to go out and get then execute a file as its waiting for commands or files to be delivered to it to act upon, but again this is the key to the first door in that there is an application which responds to external stimulus which I the hacker can provide (ie I visit the web page and do a SQL injection attack).

In all these cases the OS was doing what it was suppose to do, which was run the given program, but being the hacker, I changed that up slightly and the slightly is important as you can't change the application so much that it won't run, but only change it enough to do what you need it to do. Now the adventure for security here is to determine if code being run is 'good' or 'evil' code which sort of smacks of the halting problem. Now ultimately this is why third party developer have got to get into the game as I'd bet 99.99% of them are only writing their code to 'work' which is very different to building code which can't be broken. The OS vendors are starting to getting this, but as I said most non-OS coders are not.

Now OS developers are starting to understand that there are way too many third party coders who simply suck and couldn't write good code no matter what and the only way to do something about them is to code defenses in the OS, but this is difficult to do as one coders requirement can be another coders exploit. For an example of this consider the issue that Microsoft ran into with the AV vendors as they wanted to plug a potential security issue that some AV vendors used.

Feature is often another word for exploit. Consider HTML/the web, it has gone so far beyond what the original inventor envisioned as people really demanded certain features and functionality. This has a two fold effect, first complexity is a multiplier for errors/exploits, and second creative black hat thinking often finds 'innovative' ways to use and extend existing functionality for 'alternative' purposes (phishing would be an easy example of this).

Now I believe that at least one of these hackers said that his exploit would have worked on any platform, which really validates what I've said above, just give me something that is going to run on my intended target and let me tweak it to additionally run my code. Certainly you might have to added a 'feature' or two as the Vista hacker had to in order to steer around various OS defenses, but I tend to believe him in that the exploit could very well be cross platform as once you have your code running on your target then you are pretty well the winner.

Now as for non OS developers do they really understand threat models, privilege elevations, buffer overflows, etc, I'd have to say not likely and so they will continue to build working code that can be exploited until they get the training, the tools, the testers, the time, the management approval, etc to do otherwise, not likely on a global scale where quality IT people are a rare commodity and the goal is to deliver the functionality that makes the bucks and not much else.

We have left the age where the OS on its own was exploitable, but now we have entered the age of the exploitable app, and I often wonder if there is a way out of this or if this is where we will remain until the device itself goes away (and I'm not talking about a thin OS here).

One thing I'd like to see is a new OS that doesn't have backward compatibility issues, ie it doesn't have to support flawed applications or whacked standards. Which could clearly define a rigid set of rules (both in terms of whats in and more importantly whats OUT of scope) in how an application can interact with the OS/hardware etc I think it would be a very secure OS, but then I think we would also find it of limited use to end users, which really indicates that security isn't black and white, its a definite gray and is more a matter of risk management then being secure or insecure. So again I think the next step is to get third party coders to up their security game, not to say that OS coders shouldn't continue to up their game, I just think that third party coders are way to far behind and way to easy for hackers to sneak their code in.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 02:09:46 EDT

astirusty :

said by Steve :

Do you suggest that DEP not be allowed to be disabled?

Are you suggesting that programs should be allowed to disable DEP and execute unknown data in system level regions of memory as if the data were known safe instructions?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Thu, 03 Apr 2008 01:58:02 EDT

astirusty :

said by Vampirefo :

... that way we all come away from the challenge gaining something.

Doubtful. The defenders of MS/Vista & Apple/OS-X have already succeeded in spreading doubt. Unfortunately for end-users, the status quo of marketing hype and half-@55 security (fix-post-hack) will continue.
EGeezer nailed it with this:

In short, lots of finger pointing will ensue from projects like these and little will get resolved except as band-aid fixes. The Neros will continue to fiddle while Rome continues to burn.

--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 23:02:27 EDT

anon : @Vampireifo:
While in principle I agree with your position re "full" test, the whole thing was a bit of a stunt, wasn't it?

Would you really find some thing useful in this setting if Ubuntu had been hacked?

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 22:38:02 EDT

Vampirefo : Even though I am a linux user, I wish now they would have left the challenge open until linux was hacked.

you mac and windows users, may have lost the challenge, but gained while we linux users won the challenge but gained nothing.

your guy's holes, have been found and will be repaired, ours was not discovered, so might not get repaired.

next year, all 3 machines need to stay up until they are cracked, broken, brought down, what ever the terms is. that way we all come away from the challenge gaining something.
--
Best Regards Vampirefo

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 22:06:41 EDT

Steve :

said by astirusty :

Well actually not. Vista was hacked because it allowed DEP to be disabled via Adobe

Source, please?

Do you suggest that DEP not be allowed to be disabled?
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 21:48:03 EDT

astirusty :

said by Longboard :

what a turkey: »www.theregister.co.uk/2008/04/02···_laptop/

quote:
... Windows Vista laptop that was successfully compromised at last week's Pwn2Own hacking contest was removed after the online auctioneer said it violated terms that forbid sales of items that might do harm.

Now that is funny... :D :D
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 21:43:57 EDT

astirusty :

said by dave :

I'd go with "remote privilege escalation".

Okie dokie.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 21:42:42 EDT

astirusty :

said by Maxo :

There is no reason to use this contest as a way to come to a conclusion about which OS is more secure.

Agreed.
Other, than you might come to the reverse conclusion. Neither OS is all that secure.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 21:40:43 EDT

astirusty :

said by daveinpoway :

Actually, as shown by the results from the first day, all 3 OS's stood up to remote attacks over the Internet; Mac OS X and Vista were later brought down not by problems in the OS itself, but by bundled applications.

Well actually not. Vista was hacked because it allowed DEP to be disabled via Adobe and OS-X was hacked because it allowed a port to be opened for telnet access via Safari.
Further, both hacks were done via simulated internet (cross-over cables) so both OS were brought down by remote attacks.

Both vendors should be embarrassed and disgraced by these hacks. Apple for all their Bull Sh!t bragging of their security being superior to MS. MS for all its flounders via SDLC, rings, Intel CPU hardware protection, and their hyping of Vista. MS is very lucky** that they sort-of got the exploit hole patched via Vista SP1 release or they might have been the first to fall.
Further embarrassment to both companies is that Ubuntu distro of Linux done without billions of dollars in backing stood up completely.

**On the "lucky" part, anybody consider whether MS might not have gotten some under-the-table heads-up as to the exploit; given the sort-of fix and the timing of the fix's release?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 12:36:52 EDT

dave :

said by Steve :

At some point you have to decide that you're going to lay blame properly.

In fact, a proper security response demands that you fix the thing that's broken, rather than 'fixing' some other component that architecturally can't be made responsible in the first place.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 12:19:43 EDT

Maxo :

Exactly. There is no reason to use this contest as a way to come to a conclusion about which OS is more secure.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 11:20:29 EDT

Steve :

said by La Luna :

No OS is immune under the right circumstances. Better?

Not at all - the OS didn't do anything wrong and was likely powerless (even in theory) to stop the infection. At some point you have to decide that you're going to lay blame properly.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 10:43:02 EDT

Longboard : what a turkey: »www.theregister.co.uk/2008/04/02···_laptop/

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 10:32:13 EDT

La Luna :

said by Steve :

said by La Luna :

So basically, he's saying no OS is foolproof. Imagine that.

Flash is a third-party program - it's not exploiting the OS.

I understand that.

No OS is immune under the right circumstances. Better?
--
10,830 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 05:57:10 EDT

daveinpoway : Actually, as shown by the results from the first day, all 3 OS's stood up to remote attacks over the Internet; Mac OS X and Vista were later brought down not by problems in the OS itself, but by bundled applications.

Unfortunately, as OS security has gotten better over time, the bad guys are concentrating more on breaking in via applications (such as web browsers), so issues like this may well get worse before they get better.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Wed, 02 Apr 2008 05:50:23 EDT

daveinpoway : Well, I don't feel that Safari "sucks", but I did feel that it might be better to use a less-common browser. My alternate choice (Camino) may well not be any more secure than Safari, but having less folks jiggling the doorknob does count for something.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 16:15:06 EDT

dave : I'd go with "remote privilege escalation".

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 15:17:14 EDT

Maxo :

said by astirusty :

Overall, it would be great if the users themselves held both MS's & Apple's feet to the fire over these kinds of security holes/bugs AND the fanboys/fanatics of each OS quit trying to defend and/or make excuses for their OSs security holes/bugs. The only people who benefit from the ongoing security holes/bugs is the black-hats who profit from their exploits.

I agree with you on this. These companies need to take security more seriously. Security and stability should come first, but because these aren't "sexy" they often take a back seat.
Fanboys also need to stop being so quick to defend of offend. This contest really doesn't belong in any intelligent argument about which OS is or isn't the most secure. The only thing one can gather from this is that they are all hackable with minimal effort from those that have enough knowledge. Given more attention, the Ubuntu box would have been pwned without much more effort.
The only difference is that the Ubuntu exploit would have been filed in the public database, just like all other bugs, and it's resolution would have been quick. There would be no PR crap.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 13:43:54 EDT

astirusty : Overall, it would be great if the users themselves held both MS's & Apple's feet to the fire over these kinds of security holes/bugs AND the fanboys/fanatics of each OS quit trying to defend and/or make excuses for their OSs security holes/bugs. The only people who benefit from the ongoing security holes/bugs is the black-hats who profit from their exploits.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 13:13:09 EDT

astirusty :

said by dave :

I'm with Steve - 'remote execution of code' means that the attacker can remotely cause code (of his choice) to be executed ...

Okay.

What then would be the best terminology to use to describe what ultimately the hackers did on the machines to demonstrate they "owned" them? As in the hackers could remotely run code on the systems with (or effectively with) escalated privileges ?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 11:25:19 EDT

RadioDoc : Well, I agree Safari sucks. I don't use it on my Macs either if I can help it. The point I was making is that it is installed and enabled and in fact is one of the first programs run when setting up a new Mac. Except for 'uber leet' Macaddicts who don't stick with the retail experience, which I have to think is a miniscule number, "every user" is almost all OS-X 10.x Mac users at one point or another.
--
Toolmaster of La Grange.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 08:35:36 EDT

dave : I'm with Steve - 'remote execution of code' means that the attacker can remotely cause code (of his choice) to be executed, and that's all.

Which is to say, the words mean what they say and no more.

It is of course extremely interesting what the attacker can then do with his remote code execution, but that's not part of the basic understanding.

If you look around for vulnerabilities that 'permit remote code execution', I think you'll find that they adhere to the definition I gave.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 06:11:40 EDT

daveinpoway : Regarding your second paragraph, it turns out that "every user is" NOT "subject to it"- only those users who don't decide to use a browser other than Safari (there are several choices). In my case, as soon as the iPhone (which uses Safari) came out, I became concerned that Safari would receive too much hacker attention, so I dropped it and changed to something else on my Mac. Haven't regretted the decision at all.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 01:21:48 EDT

astirusty :

said by Steve :

I predict we're going to both decry sloppy language here

Agreed.
My use of 'remote execution of code' or 'remote code execution' is that a black-hat has taken control of a system and can arbitrarily execute instructions on the system at his/her will (as in Powned). The system is fully compromised and not simply running a malicious program which is limited to what damage it can do by the OS, and the user privileges it is running under.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 01:11:26 EDT

astirusty :

said by EGeezer :

I'm beginning to see the argument of the future coming to fruition;
...
In short, lots of finger pointing will ensue from projects like these and little will get resolved except as band-aid fixes.

It has long since come to fruition. MS & its fanboys started using the finger-pointing a long time ago when Windows failed to protect against IE exploits. Never, mind that it was MS own product (aka similar to Apple's recent failure with Safari).

The difference with Apple & its fanatics is they are in arrogant denial, when it comes to problems. Rarely does Apple acknowledge a problem with its products. And Mac-fanatics are all to willing to venomously protect Apple.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 00:42:02 EDT

Steve :

said by astirusty :

Okay, that is a different definition.

Which one do you use?

I predict we're going to both decry sloppy language here

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 00:41:03 EDT

astirusty :

said by Steve :

The term "remote code execution" refers to a circumstance where a trusted application - Safari, Flash, Acrobat, Word, WoW, whatever - incorrectly treats foreign data as code, and hands that code to the CPU.

Okay, that is a different definition.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 00:38:00 EDT

Steve :

said by astirusty :

Um, you do know the difference between merely an application that executes what it was programmed to do vs. a hack that allows a black-hat to remotely execute instructions at will?

I'm pretty sure I do.

If the Flash application allows the bad guy to get his own bytes - of any kind - inserted into the CPU instruction scheme, that's the point where it's remote execution: it doesn't matter whether those bytes are removing all your My Documents, sending spam, or doing something else.

And if they manage privilege execution, then both the OS and the app get blamed: the app for allowing the remote execute, and the OS for allowing the remote execute to escalate.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 00:33:34 EDT

astirusty :

said by Steve :

Um, you realize that sending spam involves code execution, and it's Flash that's allowing it, right?

Um, you do know the difference between merely an application that executes what it was programmed to do vs. a hack that allows a black-hat to remotely execute instructions at will?
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Tue, 01 Apr 2008 00:02:16 EDT

Trel :

said by EGeezer :

In short, lots of finger pointing will ensue from projects like these and little will get resolved except as band-aid fixes. The Neros will continue to fiddle while Rome continues to burn.

Actually burns quite nicely :p
--
/chown -R us:us /yourbase

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 23:03:03 EDT

mikenolan7 : Dave & Steve: Thanks for the great explanations! I've read entire chapters of published books on buffer overflows and your posts have cleared things up for me that I never understood.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 22:39:27 EDT

dave :

said by SnowyOne :

but if it involved an escalation of privileges would any of that fall on the OS?

Almost certainly. If the flash player is executed as a mere user, and the exploit code is able to parlay that into (say) admin-level access, that's probably the OS's fault.

(You can imagine exceptions, say for example if the exploit asks the user to type in the admin password and he does so.)

Actually, it need not be the actual OS's fault. Suppose dave's software emporium supplies a badly-conceived kernel driver that idiotically provides an unchecked API to all comers, which allows just anyone to set privs on a random account. Suppose this code happens to be running on some system. Now suppose the Flash exploit ended up calling that API and thus gets privs it should not have. The privilege escalation is the fault of dave's software emporium, not the OS.

So I guess we'd say that the code that actually punches the hole in the privilege barrier is at fault. The OS can't protect against privileged code giving away its privileges to the wrong people (except by denying the possibility of having any privileged code not of the OS).

But although there are exceptions, I imagine that in the cases you'll actually see, it's the OS.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 22:31:26 EDT

Steve :

said by SnowyOne :

if it involved an escalation of privileges would any of that fall on the OS?

Almost certainly - that's the OS guarding that door.

But it does not require priv escalation to really mess up a system.

Edit to everybody in general - but not all priv escalation is the fault of the OS. If the application has its own escalated component and a desktop component can exploit the escalated component, it may not be the OS either.

To make up an example: iTunes has a user app and an associated service, and I assume they talk to each other somehow. It is not inconceivable that a malformed music download could provoke the user app to get the service to do something it shouldn't.

If this happens, it's the fault of the bits that allowed the bad stuff, not the OS. When assessing blame, it's not good enough to pick on the parties you don't like: the details matter. But in practice, priv escalation is almost always the fault of the OS...

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 21:54:47 EDT

SnowyOne :

said by dave :

What is a 'rogue' download and how is it to be distinguished from a requested download?

That was a direct reference & response to

said by Steve :

Example: if the Flash plugin were exploited to allow the bad guy to drive-by install a .EXE in the user's temporary directory, and mark it as run-on-login, and this badware started sending out spam - how could Microsoft prevent this?

I'm not sure of specifics of Steve 's flash example but if it involved an escalation of privileges would any of that fall on the OS?

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 21:34:55 EDT

dave :

said by SnowyOne :

it's the allowing the rogue download to occur in the first place that has me believing the OS has to take some responsibility for the hack.

What is a 'rogue' download and how is it to be distinguished from a requested download?

Ultimately, all you've got is data coming over a wire. And legitimate applications expect to be able to transfer data over a wire; an OS that prevents that is worthless.

What does the app do with that data? Well, if it's stupid and easily misled, it tries to put a gallon of data in a pint-sized buffer. That's not the OS's fault.

If it's really stupid, the app will then try and execute the 7 pints of data that slopped over the edge. The OS can try and help prevent that (no-execute stacks, stack frame randomization, etc.) but ultimately, if the app wants to load code into memory and execute it, then the app must be able to do so. (Otherwise we'd never have language interpreters).

It's the application that's at fault.

It's not clear to me whether this one was buffer overflow or not, but regardless, the principle is the same: this is data transfer to an application, and then the application mishandled the data.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 21:06:13 EDT

Steve :

said by SnowyOne :

It might be Flash that caused a rogue download but isn't still the os that allowed the rogue download?
I can understand the OS not being at fault for running the rogue download at next boot, it's the allowing the rogue download to occur in the first place that has me believing the OS has to take some responsibilty for the hack.

I think there is some confusion here over how hacks like this work, and it may well lead to blaming the wrong party.

The term "remote code execution" refers to a circumstance where a trusted application - Safari, Flash, Acrobat, Word, WoW, whatever - incorrectly treats foreign data as code, and hands that code to the CPU.

The most familiar example is a buffer overflow, where too-large external data is provided to a too-small buffer, and the overflow parts are treated as code, not data. The CPU doesn't know where a CPU instruction came from, and in many case the OS doesn't either: it assumes that the controlling program (WORD.EXE, SAFARI.EXE, etc.) knows what it's doing.

But in the case of Flash (we assume), it gave control to some outside party who got to hand its instructions to the CPU.

At that point, the game was over, and it's the fault of the module that treated data as code.

How would Windows (or Linux or MacOS) know that the instructions to read a file or open a socket or whatever came from the untrusted source versus from the application that the user trusted enough to run?

I believe it misunderstands how these exploits to work to suggest that the OS is culpable at all, unless the OS provided the module that did the bad stuff. The GDIPLUS.DLL and ASN1.DLL problems were both in this case: Microsoft properly took the heat for providing a module that another program could be used as a vehicle to exploitation.

Likewise, in the case of Safari, it's almost certainly a problem with the application rather than the OS, and it's only because the same vendor provided both there is a blur betwen "MacOS was hacked" and "Apple didn't deliver quality code".

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 20:46:23 EDT

SnowyOne :

said by Steve :

said by astirusty :

Sending out SPAM is not the same thing as the system being owned. Which was what the contest (remote execution of code) involved and the awards were handed out for.

Um, you realize that sending spam involves code execution, and it's Flash that's allowing it, right?

Steve

It might be Flash that caused a rogue download but isn't still the os that allowed the rogue download?
I can understand the OS not being at fault for running the rogue download at next boot, it's the allowing the rogue download to occur in the first place that has me believing the OS has to take some responsibilty for the hack.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 20:34:48 EDT

EGeezer : I'm beginning to see the argument of the future coming to fruition;

said by OS vendor :

That's not our vulnerability. It needs to be addressed by the application vendor.

said by application vendor :

That's not our vulnerability. It needs to be addressed by the OS vendor.

In short, lots of finger pointing will ensue from projects like these and little will get resolved except as band-aid fixes. The Neros will continue to fiddle while Rome continues to burn.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 20:27:24 EDT

Steve :

said by astirusty :

Sending out SPAM is not the same thing as the system being owned. Which was what the contest (remote execution of code) involved and the awards were handed out for.

Um, you realize that sending spam involves code execution, and it's Flash that's allowing it, right?

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 20:19:07 EDT

RadioDoc : Problem is (as you seem to have conveniently ignored) that the OS X "hack" did not involve installing a third party vector (in the Windows case Java) in order to enable the eventual exploit. The Safari exploit is there as soon as the OS boots and the browser is launched.

The threat level of the OS X fault is much greater since every user is subject to it. Unless users are not expected to ever click on hyperlinks "getting a user to click on a link" is a lot more likely than the Java/Flash combo.

You can be hypercritical of Microsoft if you must (as your sig evidences) but at least be consistent when applying logic.
--
Toolmaster of La Grange.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:59:03 EDT

astirusty :

Sending out SPAM is not the same thing as the system being owned. Which was what the contest (remote execution of code) involved and the awards were handed out for.

As for the point of your argument, you do realize the OS-X/Safari hack involved getting a user to click on a link? So if your going to excuse MS over an Adobe/Flash drive-by-install, then you have to excuse Apple on the same basis.

--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:46:04 EDT

astirusty :

said by Steve :

I don't think that anybody would argue that Apple didn't have it in its power to fix Safari.

I take it then you have never been in an "discussion" with an Mac-Fanatic? :p
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:45:30 EDT

Steve :

said by astirusty :

As for blaming Adobe over MS. Nope. MS is well aware of Adobe products and should have tested their OS better to ensure a problem with Adobe didn't result in their OS being hacked.

Neither of us has this kind of information to know, and one doesn't have to "hack the OS" to hack the machine.

Example: if the Flash plugin were exploited to allow the bad guy to drive-by install a .EXE in the user's temporary directory, and mark it as run-on-login, and this badware started sending out spam - how could Microsoft prevent this?

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:40:15 EDT

astirusty : The issue is once again people are using applications as excuses for the OSs being compromised. You can argue all you want that neither OS was Powned; however, the fact remains the contest handed out awards based on compromised systems running particular OSs; not awards based on compromised apps.

As for blaming Adobe over MS. Nope. MS is well aware of Adobe products and should have tested their OS better to ensure a problem with Adobe didn't result in their OS being hacked. Keep in mind, MS did tweak Vista to prevent this kind of exploit, and yet they didn't completely close the hole with Vista's SP1 release. A secure OS should not be compromisable by mis-behaving app.

As for blaming Apple, over Safari their own product. Yes. Apple damn well should be able test their OS to ensure their own browser doesn't lead to the OS being hacked. Shame on Apple for the security hole.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:18:04 EDT

Maxo :

said by SUMware :

said by Maxo :

Mac was hacked first because that's what the cracker felt like going after first. It could have just as easily been any other OS that he decided to go after, and it would have been the first to come down.

said by Charlie Miller :
"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard. Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows."

Yes, he thought Leopard would be the easiest, but he also felt confident he could have done it to any of the OSes. It wasn't like he was hammering at all three equally and got through Leopard first.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter

»www.cafepress.com/maxolasersquad

»maxolasersquad.com/

»maxolasersquad.com/network/ My DSL Network Guide

»myspace.com/mlsquad

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 19:03:31 EDT

Steve :

said by astirusty :

If we follow the argument that Vista was not "Powned" and only Adobe was exploited; then OS-X was not "Powned" either and only Safari was exploited.

I think that one ought to blame the vendor who wrote the bits that got hacked, and leave out of it any other party who was powerless to prevent the hack. The problem is that we don't know yet.

Scenario #1: It's a damn bug in Flash and Microsoft could not have done anything to prevent it. Blame Adobe.

Scenario #2: It's a bug in Windows (like the GDIPLUS.DLL thing a few years ago), and Flash was nothing more than a vehicle for the exploit. Blame Microsoft.

There may be middle grounds, but blame is directly related to ability to have mitigated with additional care.

I don't think that anybody would argue that Apple didn't have it in its power to fix Safari.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 18:59:49 EDT

SUMware :

said by Charlie Miller :
"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard. Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows."

More details on the Flash flaw that won the Vista machine

Mon, 31 Mar 2008 18:31:22 EDT

SUMware : From ZDNet
March 31st, 2008
Analysis by Nathan McFeters* -

said by Nathan McFeters :
So, I’ve been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest... I think we can make some reasonable assumptions from the details that have been released in an InfoWorld article:Macaulay, who was a co-winner of last year’s hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That’s because Macaulay hadn’t been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures…
For those who aren’t familiar with Sotirov, he’s of the Javascript Fung Shui fame [pdf], which is basically a new method of heap spraying that allows the exploit code to have a predictable target address where it will be located in the heap. So they team up and get to work:Under contest rules, Macaulay and Miller aren’t allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista’s security.
Hmmm… does this sound familiar to anyone? See my posts (part 1 here and part 2 here) on the flaws that John Heasman spoke of in Java which require it to turn off features like DEP in operating systems that provide these protections. So my guess, and I feel it is an educated one (of course time will tell), is that Sotirov helped out by providing some additional hacker ninjitsu by helping Macaulay load this Flash attack through a Java Applet, thus turning off any DEP protections the operating system provides. Heck, I wouldn’t even be surprised if he used the applet to do some fancy heap spraying to load the shellcode from the heap. The article continues: “The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place,” he (Macaulay) said in an interview shortly after he claimed his prize Friday. “This could affect Linux or Mac OS X.”

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.
Aha, so there is your story right there, this flaw could’ve worked on any of the systems; however, the contest rules state that the same exploit can only be used to compromise one machine (see rule #2 from the cansecwest.com web page which states “You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.”), and Macaulay used Vista because it was what he was more familiar with.

So I guess we can end the OS wars about who’s is better. Perhaps I could just put up a poll so we could vote on it and get that all over and done with. So now, we should be pointing the finger at Adobe for allowing this flaw… or wait a minute, should we be pointing it at Sun since it doesn’t play nice with DEP?

*Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago.
See article for more information.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 17:57:06 EDT

RadioDoc : Safari is installed and activated by default in OS X. Flash is not, on any platform. While picking nits is fun, the user has to do nothing other than turn on a freshly unpacked Mac, connect to a network (which is also enabled by default while going through initial setup), and then surf to a site containing the exploit. No other assistance is required from outside software.

Now, if you can accurately claim that the scenario is not one repeated every day by unsuspecting new computer owners who believe a company's "security" hype, then you may have an argument. However, it might help for you to go back into the timeline and especially the facts of the contest rather than make up your own grading scale.
--
Toolmaster of La Grange.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 17:40:58 EDT

astirusty : If we follow the argument that Vista was not "Powned" and only Adobe was exploited; then OS-X was not "Powned" either and only Safari was exploited. Continuing that same logic then there is no reason to have three different OS's involved in the contest and instead the whole contest should be about hacking applications. Further no awards should have been given out because neither OS was hacked.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 17:28:18 EDT

Steve :

said by astirusty :

[ Vista failed to prevent the system from being "Powned"; so the OS was indeed exploited.

We don't have enough information to know that - if Flash allows bad executable content to run, I don't know how Vista or any other OS could prevent it. There are a lot of things that badware running in a strictly user context (without admin/elevation) can do, so it doesn't require compromising the OS to compromise the user's account.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 17:13:10 EDT

anon :

said by astirusty :

said by Steve :

Flash is a third-party program - it's not exploiting the OS.

Vista failed to prevent the system from being "Powned"; so the OS was indeed exploited.

said by »www.channelregister.co.uk/2008/0···tanding/ :

...Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

If you let a particular software in an operating system, you better trust the software.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 16:50:55 EDT

astirusty :

said by Steve :

Flash is a third-party program - it's not exploiting the OS.

Vista failed to prevent the system from being "Powned"; so the OS was indeed exploited.
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 16:41:36 EDT

astirusty :

said by Steve :

If I had a zero-day Vista remote attack, ... I'd instead sell it for far ...

You have hit on one thing that is wrong with the contest.
The awards don't represent the market share of the respective OSs and the value of a hack. Thus, the contest doesn't attract the black-hats to give-up a valuable Vista hack as it would a Linux hack. The contest would need to offer something like $88,000 for Vista hack, while paying only $8,000 for OS-X hack, and $4,000 for Ubuntu (or some $$ award vs. % market).

I also wonder how many black-hats really would give up a hack for money; knowing it would draw attention to themselves.
--
Do yourself a favor, just say no to anything Windows.

Re: Vista Hacked

Mon, 31 Mar 2008 16:21:33 EDT

astirusty :

said by Steve :

They shouldn't have allowed Adobe software to run on their operating system.

Maybe MS shouldn't allow anything to run on their OS? ;)
--
Do yourself a favor, just say no to anything Windows.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 16:16:40 EDT

Steve :

said by La Luna :

So basically, he's saying no OS is foolproof. Imagine that.

Flash is a third-party program - it's not exploiting the OS.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 15:01:17 EDT

Maxo : I really don't see any point in taking too much from this. Mac was hacked first because that's what the cracker felt like going after first. It could have just as easily been any other OS that he decided to go after, and it would have been the first to come down.
This is also only one example of crackers finding one exploit per OS. What really matters is how it fares in the real world. Will a server, properly setup, be less likely to be compromised running OSX, Vista, or Ubuntu? What about the desktop? If I am running each of these operating systems, in their "out-of-the-box" configuration with all updates and with the user taking realistic precautions (only executing trusted programs, etc.) which one is most likely to become compromised?
I don't think that this contest does anything to answer that question.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter

»www.cafepress.com/maxolasersquad

»maxolasersquad.com/

»maxolasersquad.com/network/ My DSL Network Guide

»myspace.com/mlsquad

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 14:01:05 EDT

RadioDoc : I'm shocked. SHOCKED!

:D

Which is all the more reason why Apple's marketing implication that OS X is foolproof (or at least more foolproof than contemporary Windows) is void. Much more dangerous to give people a false sense of security...or for a bunch of apologists to insist the risk is zero.
--
Toolmaster of La Grange.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 13:46:33 EDT

La Luna : ....and Linux zealots are sure to conclude the contest results prove the superiority of that platform. Maybe. But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

»www.channelregister.co.uk/2008/0···tanding/

So basically, he's saying no OS is foolproof. Imagine that.

Re: Vista Hacked

Mon, 31 Mar 2008 12:27:03 EDT

Name Game : You and me both Trel.. so I certainly did not help the thought process along..sorry. :( Glad you posted. Flash does need java..Adobe saw to that.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: Vista Hacked

Mon, 31 Mar 2008 10:49:55 EDT

Trel :

said by Name Game :

Adobe Flash Player

Yeah, you're right. Where the heck did I pull Java from (and I was thinking it before the post about java being "rock solid".

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 10:03:24 EDT

RadioDoc : Heh, true that. Especially in light of the arrogance which makes most of them think they need no AV, et. al. protection at all because Teh Steve will keep them safe.

There is more damage control going on in the Apple camp over this than you see when a political candidate gets caught with a hooker.
--
Toolmaster of La Grange.

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 09:32:05 EDT

Davebo_ :

said by chrisretusn :

I would have liked to seen the Linux machine left up until it was compromised. :(

Even though it didn't take long, it's not gonna stop me from buying a Mac Pro once I get the money saved up. :)

Intelligent Windows users everywhere thank you. :)

The quicker Mac becomes the main attack vector, the better off we'll be. The more the merrier onto the Apple bandwagon I say...

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 05:28:31 EDT

Name Game :

But then to be fair...You might have seen the Mac OS X resetup and compromised every half hour the second day..and then the free for all on the third day when they expanded it to include third party applications.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: Hackers to challenge Windows, Mac OS X and Linux next week

Mon, 31 Mar 2008 04:54:07 EDT

chrisretusn : I would have liked to seen the Linux machine left up until it was compromised. :(

Even though it didn't take long, it's not gonna stop me from buying a Mac Pro once I get the money saved up. :)
--
Chris
Living in Paradise!!

Re: Vista Hacked

Mon, 31 Mar 2008 04:34:08 EDT

Name Game :

said by Trel :

said by Steve :

said by astirusty :

So much for MS's SDL initiative and their rings of security...

Indeed. They shouldn't have allowed Adobe software to run on their operating system.

Adobe? It was hacked using Java.

Adobe Flash Player

Adobe’s (originally developed by Macromedia) client-side competitor to Java. Its download is about 1.2 MB, compared with 3 MB for Shockwave, and 14 MB for the Java run time. It was initially designed to do rapid animations with very small downloads. Now it has been extended to handle data entry and database lookup functions. Macromedia decided to use fluffy XML as their transport protocol to the server. The downloaded files typically have the extension *.swt. Test your Flash installation.

»mindprod.com/jgloss/flash.html

*********************************

After Mac was hacked in 2 minutes at the CanSecWest Conference, it was now the time for Vista to get hacked on the 3rd day. Vista's security was compromised through the popular 3rd party software, Adobe Flash.
»www.neowin.net/news/main/08/03/3···defeated

Windows Vista security was compromised through the popular Adobe Flash software.

By: Mary Couchman
Mar 29, 2008, 5:24 PM EDT

During the third day of the "PWN TO OWN" event, a contest of hackers determined to break systems at CanSecWest, Windows Vista was compromised from a Flash flaw.

The contest, which saw a MacBook Air get hacked on Thursday, relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall through the OS X operating system.

On Friday, hackers could target any "popular" piece of third-party application software that computer users might locate on a system. The Fujitsu laptop, running Windows Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Hackers Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to compromise and gain control of the Windows Vista laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

Winners had to sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor to prepare for security fixes. Once Adobe patches the flaws in Windows Vista, the problem will be disclosed.

CanSecWest is the world's most advanced conference focusing on applied digital security. The annual event brings both industry and hackers to test security in several operating systems.

The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field.
»www.newsoxy.com/windows_vista_ha···0640.htm

The first to be taken down, on the second day, was the Mac, exploting a Safari vulnerability. Next, on the third day, the Vista laptop was hacked using a Java vulnerability. At the end of the competition the Linux laptop remained secure. Both the Safari and Java exploits may turn out to be be cross-platform, but secure operating systems should run all applications at the user level and no user application should have administrator access. Therefore, the vulnerabilities must have exploited an OS as well as an application security flaw.

If you have physical access hacking vista can be easier..
Windows Vista hack
»arunonfire.blogspot.com/2007/09/···ack.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/