So this is a rather interesting story, which beautifully lends itself to sensational press and great article titles like “MacBook Air hacked in two minutes” and “Vista falls, Linux holds strong”. This frankly, is exactly why TippingPoint and CanSecWest sponsor and host the contest. The very noble “we took another zero-day vulnerability off the streets” sounds like as good a reason as any to have some hacker fun. Hey, I’ll buy it.
Here’s the problem, few people bother to understand any detail of what happened. They just read the “Ubuntu wins” and figure it’s safe to assume that’s the most secure operating system choice, or that OSX fell first, so it must be the least secure.
Let’s look at what actually happened. All contest machines are built to the latest build and patch levels with a default installation of the operating system.
Day 1 – Remote pre-auth attacks only. It turns out that all machines live through the first day. This doesn’t mean that there are no vulnerabilities that can be remotely exploited on these operating systems without authentication. It does mean that no one was able to get an attack to work, or that such an attack was too valuable to demonstrate. My personal take on this is that all three operating systems in question have actually matured substantially in the last several years and while the odd driver or other exploit does pop up from time to time, this kind of attack is the most difficult and least likely to succeed.
Day 2 – Default client-side apps. So at this point in the game, the machines have whatever applications install by default and you can ask the judges to click on a link, open an email or receive an IM message. The result? Apple’s Safari browser is exploited and the OSX box is officially “pwned”. So shame on Apple for having a bug in Safari right? Well we all know it’s impossible to stamp out all bugs. So shame on Apple for building an operating system that allows a browser vulnerability to result in machine pwnage? Well that’s a more interesting take on the problem, but would Safari running on Vista or Ubuntu have done any better if the researchers had more time to craft the attack? This is an even more interesting question. Remember, finding a vulnerability and figuring out how to exploit it are drastically different tasks, the latter being substantially more complex.
Day 3 – Third Party Apps – Finally, if a machine is still running, then the judges will install applications that they deem “popular”. Vista SP1 falls due to a fault in Adobe Flash. The attackers had arrived to the contest with a working 0-day against Adobe Flash, but when they find it doesn’t work with SP1, they are able to re-craft the exploit and make it work anyway. Shame on Adobe for the vulnerable code? Or shame on Microsoft for an architecture that allows a plug-in bug to compromise the operating system?
I actually don’t know the answers to the questions I have posed. I simply want to make people think about where the real fault is, and think certainly to understand that a handful of researchers with a couple of 0-day attacks is not representative of an overall operating system security posture. Is Ubuntu the last operating system standing because its fundamental architecture prevented a browser or plug-in exploit from taking system control? Or is it the last standing simply because the contestants didn’t get a chance to write a working exploit that day? In theory the cross platform applications such as Safari and Adobe flash should be vulnerable on all platforms, but vulnerable does not always mean exploitable.