Linux Survives PWN 2 OWN Contest; Mac, Vista Fall – and What It Means For You

Filed in LinuxTags: , ,

Head-to-head-to-head, Vista vs. MacOS vs. GNU/Linux in the PWN 2 OWN contest at CanSecWest 2008:

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it...

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

...Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it.

The contest took place over three days, the challenge - and the cash prize - diminishing each day:

Day 1: March 26th: Remote pre-auth

All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps

The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps

Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

All three laptops survived the first day, as none of the contestants attempted any hacks.

However, day two brought the first successful attack: the MacBook Air was compromised in a matter of minutes. The attack vector was the Safari web browser. The contestant instructed the MacBook Air user to navigate to a specially designed web page using Safari. The attack reportedly took less than two minutes:

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.

And finally, day three saw the second successful attack, as the Vista laptop was compromised. This time, the attack exploited a reportedly cross-platform vulnerability in Java:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

That means that in the end, only the GNU/Linux laptop (running Ubuntu) was left standing.

What is the moral of the story here? Well, in my opinion, there are two:

  1. Don't believe the Apple/Mac hype from Steve Jobs or his army of Apple fanboys. According to the two winning contestants, the Mac was the easiest of the three targets. Those who claim that Apple is inherently more secure have been proven to be making a baseless claim.
  2. More importantly, remember that the single, weakest link in security is the user (this means you). The successful attacks were accomplished by exploiting vulnerabilities not in the OSes themselves, but in standard-install and popular third-party apps (web browser, Java). A security-ignorant user can have his Mac box compromised, just as a security-aware user can safely use his Windows box.

So, as a user, what can you do to protect yourself? Many things - and these apply regardless of which Operating System you choose:

  1. Always operate behind a hardware firewall. Even if you only have one computer using your broadband internet connection, set it up behind a router. These devices are cheap (less than $100 for a wi-fi router, and $50 or less for an ethernet-only router), and provide the lion's share of protection you need for your computer.
  2. Never run as root (administrator). All operating systems have the ability to set up and use accounts with non-admin privileges. Linux and MacOS do so by default. Windows notoriously hasn't in the past, but one of the best changes in Vista - annoying though it may be - is the User Account Control, allowing a user to operate without admin rights, until explicitly elevated. If you are still using WinXP (or older), set up an account with admin privileges, but also an account without admin privileges. Use the non-admin account on a regular basis.
  3. Stay away from the internet's red-light district. While it is true that any web site can be hacked, most internet-based exploits are found on adult web sites, warez (software-pirating) web sites, and other "black-hat" (malicious computer hacking) web sites. Avoid them, and you will limit your exposure.
  4. Never, ever, open unsolicited email attachments. Surprisingly, email remains a viable attack vector, even though this basic rule has been preached for over a decade. If you receive an email attachment you didn't request or weren't otherwise expecting, do not open it. Period.
  5. Use web scripts judiciously. Use ActiveX even more suspiciously. Most browser-based attacks take advantage of JavaScript (cross-platform), the Java Runtime Environment (JRE, also cross-platform), or ActiveX (IE-, and thus, Windows-only). If you use Firefox, use the No Scripts plugin. If you use Internet Explorer, set ActiveX controls to require explicit authorization.
  6. Keep your third-party apps to a minimum. If you must use them, keep them updated. Another common attack vector is vulnerabilities discovered in third-party apps (e.g. QuickTime, Adobe Flash, Skype, etc.). If you don't need them, don't use them. Don't have them running by default. If you must have them, ensure that their browser plugins are configured not to launch/run automatically.

There is, as always, more (avoiding phishing, etc.); but the above list should provide the bulk of protection. Learn to modify your computer-use behavior, bearing in mind that you cannot place ultimate trust in your operating system to protect you.