Sign in to follow this  
Followers 0
duper

Vista SP1 gets pwnt!

13 posts in this topic

Actually, the attacks were over the network. There was no physical access. Read the original announcement:

http://packetstormsecurity.org/papers/call...est-pwn2own.txt

And for the record, I wasn't trying to advocate any particular operating system or software, I just thought it was funny that the attack affected SP1 since it's so new.

0

Share this post


Link to post
Share on other sites

Yes, restrictions were lifted on each successive day, but that was how the rules were originally defined; none of the rules were changed.

Both of the wins were through browser-based client-side vulnerabilities. They didn't have physical access, but they were allowed to tell the Zero Day Initiative representative to visit a URL.

0

Share this post


Link to post
Share on other sites

Life is too short for if's, but's, and maybe's.

Owned is owned is owned. Doesn't matter. You could say without whatever. "Oh, that machine could only be owned without the patch." or "That machine could only be owned without that firewall rule." It's still a vulnerability.

I'm sure the targets could have been compromised remotely it just didn't happen during the contest.

0

Share this post


Link to post
Share on other sites

An OS can only be as secure as the idiot at the helm.. :roll:

What vector doesn't realize is most computers unfortunately have users, convincing a user to visit a website or execute a malicious executable is a surprisingly easy thing to do, and it shouldn't be the OS's job to prevent the user from being an idiot.

On Unix-like systems, running under root is taboo.. something that only should be done with care, or a properly configured "sudo".. Windows users run under "Administrator" because "ZOMG MY HALO PLAIZ BETTAR!" :lol:

If you haven't already noticed, I dislike people who use Windows... they're like locus, you can kill them.. but they smell real bad. :P

0

Share this post


Link to post
Share on other sites

Adobe is also saying it knew about the vulnerability that dropped the Vista laptop:

http://www.infosecnews.org/pipermail/isn/2...ril/016152.html

"After some internal investigation, we found that via our ongoing

response and security testing process, we were aware of the issue and

had fixed it for our security update coming in the next Flash Player

update later this month," said Erick Lee, the manager of Adobe's secure

software engineering team, in a post to the group's blog.

They claim it was first discovered in December. So the old, "Bah, this is nothing new. We've already fixed it, so there's nothing to worry about!" excuse strikes again.

On a related note, a new metric for software companies has been proposed, which looks at how long it takes vendors to issue a patch once a vulnerability has been reported:

http://www.heise.de/english/newsticker/news/105717

They don't just count the number of holes and how critical they are, but also determine what they call the zero-day patch rate. This indicates the ability of a vendor to make a patch available on the day a vulnerability becomes known.

This has the potential to be quite meaningful... but my fear is that big-name vendors have enough clout with mainstream media that this kind of thing can get downplayed: "We have to make sure any patches go through our rigorous testing cycle to ensure backward compatibility and frontward confoozlement. You can't just rush these things out the door, you know; you might end up making the problem worse! You should be *THANKFUL* it takes so long to fix problems!"

(sigh)

0

Share this post


Link to post
Share on other sites

Mac was the first to be pwned, two years in a row. Just saying...

0

Share this post


Link to post
Share on other sites
Mac was the first to be pwned, two years in a row. Just saying...

Probably because Apple was the only platform available the first year..

The outcome of this contest should not be interpreted as an operating system security metric.

I'll try to preempt the ensuing religious discussion by stating this:

The access control of any operating system can be circumvented.

0

Share this post


Link to post
Share on other sites
The outcome of this contest should not be interpreted as an operating system security metric.

Absolutely. This is a very contrived, controlled situation, designed for media hype instead of a "real" test of security.

It makes much more sense to take a look at day-to-day performance and operations of software as it is used in production.

0

Share this post


Link to post
Share on other sites

For all intents and purposes, the flaw that got the Mac pwnt could have allegedly been used against the Windows machine as well. If that were done, and both fell in a minute each... and the Mac still was the first to be taken up... guess what, haters will still say the Mac got pwnt first blah blah.

There are sufficiently many reasons for which Apple might want to beef up the security team, and I've gone on soapboax diatribes about it on my blog enough, so I agree they should be 'scared' into it. But yes, it is not a security statistic as much as it is a hype device (not much unlike the RDF)

0

Share this post


Link to post
Share on other sites
For all intents and purposes, the flaw that got the Mac pwnt could have allegedly been used against the Windows machine as well. If that were done, and both fell in a minute each... and the Mac still was the first to be taken up... guess what, haters will still say the Mac got pwnt first blah blah.

Not at all. If you really think about it, if cross-platform shellcode had been written the Flash vulnerability could have been used to own all three: Vista, Linux, and MacOS.

The Vista machine was not running Safari, but the MacOS machine was running Flash, so it could have happened the other way around... and the Vista machine did not fall in a minute. It took at least 5 hours or so for the Vista team to detect and bypass IE7's JavaScript DEP (enabled in SP1) with Java heap spraying. They actually paused in the middle and started writing an exploit for Linux then changed their minds. This is a matter of counteracting anti-exploitation technologies so again, the security of each individual operating system is largely irrelevant here. There's an interview with the winners over at Ziff-Davis if anyone wants to read further into it:

http://blogs.zdnet.com/security/?p=999

And just because the media said something doesn't make it true. ;) I'm not trying to argue with you here. Sure, Safari for Win32 could have been attacked, but who runs Safari on Windows? There's a possibility of it happening the way you describe in the wild but that wasn't how it went down at the contest. As far as I'm concerned the amount of time that it took the contestants to win shouldn't matter either... What's done is done and what's owned is owned.

Edited by duper
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0