So this is a rather interesting story, which beautifully lends itself to sensational press and great article titles like “MacBook Air hacked in two minutes” and “Vista falls, Linux holds strong.” This frankly, is exactly why TippingPoint and CanSecWest sponsor and hosted their recent contest. The very noble “we took another zero-day vulnerability off the streets” sounds like as good a reason as any to have some hacker fun.
Here’s the problem. Few people bother to understand any detail of what happened. They just read the “Ubuntu wins” and figure it’s safe to assume that’s the most secure OS choice, or that OS X fell first, so it must be the least secure.
Let’s look at what actually happened. All contest machines are built to the latest build and patch levels with a default installation of the operating system.
? Day 1 — Remote pre-auth attacks only. It turns out that all machines live through the first day. This doesn’t mean that there are no vulnerabilities that can be remotely exploited on these operating systems without authentication. It does mean that no one was able to get an attack to work, or that such an attack was too valuable to demonstrate. My personal take on this is that all three operating systems in question have actually matured substantially in the last several years and while the odd driver or other exploit does pop up from time to time, this kind of attack is the most difficult and least likely to succeed.
? Day 2 — Default client-side apps. So at this point in the game, the machines have whatever applications install by default and you can ask the judges to click on a link, open an email or receive an IM message. The result? Apple’s Safari browser is exploited and the OSX box is officially “pwned”. So shame on Apple for having a bug in Safari right? Well, we all know it’s impossible to stamp out all bugs. So shame on Apple for building an operating system that allows a browser vulnerability to result in machine pwnage? Well, that’s a more interesting take on the problem, but would Safari running on Vista or Ubuntu have done any better if the researchers had more time to craft the attack? This is an even more interesting question. Remember, finding a vulnerability and figuring out how to exploit it are drastically different tasks, the latter being substantially more complex.
? Day 3 — Third Party Apps. Finally, if a machine is still running, then the judges will install applications that they deem “popular.” Vista SP1 falls due to a fault in Adobe Flash. The attackers had arrived to the contest with a working zero-day against Adobe Flash, but when they find it doesn’t work with SP1, they are able to re-craft the exploit and make it work anyway. Shame on Adobe for the vulnerable code? Or shame on Microsoft for an architecture that allows a plug-in bug to compromise the operating system?
I actually don’t know the answers to the questions I have posed. I simply want to make people think about where the real fault is, and think certainly to understand that a handful of researchers with a couple of zero-day attacks is not representative of an overall operating system security posture.
Brian Bourne is a principal with CMS Consulting, a leader of the Toronto Area Security Klatch and a contributor to ITWorldCanada.com’s Security Insider blog