http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2008
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture
{QUOTE-> Three targets, all patched. All in typical client configurations with typical user configurations. The point is to get an access to a file located on the HDD.

Targets (typical road-warrior clients):

VAIO VGN-TZ37CN running Ubuntu 7.10
Fujitsu U810 running Vista Ultimate SP1
MacBook Air running OSX 10.5.2 <-QUOTE}
1. day - allowed an attack at system services only.
2. day - an attack via an infected URL webpage.

1. looser - MacBook Air exploited via a brand new 0day vulnerability in Apple's Safari web browser. The contest continues with Ubuntu 7.10 & Vista Ultimate SP1.

http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

"Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope.

So did they install Safari on Windows Vista today?

[ Oops - Mac OSX and Safari 3.0 for Windows (no Linux version) Thx wat0114! ]

{QUOTE->
So did they install Safari on Ubuntu and Windows Vista today? <-QUOTE}

Does Safari even have a version for Linux? I haven't seen one. It is an interesting contest and looking forward to the final results :)

I heard that Safari is based on KDE's konqueror, so that could be a "linux version"

{QUOTE-> I heard that Safari is based on KDE's konqueror, so that could be a "linux version" <-QUOTE}

You are right. A little digging and it is indeed called Konquerer, at least for Linux.

on day two it only took two minutes to hack the Mac airbook. that is pretty quick:lurking:

A little more digging. Where there is a will, there is a way:

http://www.ubuntu-unleashed.com/2008/03/howto-install-safari-on-ubuntu-with.html

"Howto: Install Safari on Ubuntu with Flash and Shockwave! (Hulu, Youtube, Shockwave Works!) March 21, 2008
"Ok ive been browser hunting and seen a lot of hype about Safari browser's speed so I decided to give it a whirl, I managed to get it install with Flash and it works very well with youtube and hulu ! Here is how I got it installed, let me know how it goes if you decide to check it out!

http://www.howtoforge.com/installing-safari-on-ubuntu7.10-with-playonlinux

"Installing Apple's Safari Browser On Ubuntu 7.10 With PlayOnLinux 01/18/2008
"This guide explains how you can install Apple's Safari browser on Ubuntu 7.10. As there is no Linux version of Safari, we will run it under Wine. We will use a tool called PlayOnLinux to install Safari under Wine.

I'll just stick with FF. All those terminal commands look a bit intimidating to me, and I'm just too new to Linux to dive into all that right now :-\

Getting Flash to work in FF was a PITA. Thank goodness for Google and the answers I found to help me get it installed and working.

Ubuntu wins! (http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up)

{QUOTE-> Ubuntu wins! (http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up) <-QUOTE}
Only because Adobe's Flash doesn't work on it?

This is cheating just a little as I am not running Ubuntu 7.10 on my laptop, but I am posting from Safari v3.1 running on Debian Etch stable via wine.

I happened to have wine on this Debian install. I downloaded and installed mstcorefonts (a Debian package) from the Debian repository and Safari from Apple's web site.

The Safari UI has a few glitches (mainly the menu bar text, no spaces between FileEditViewHistory...), but is very usable.

Actually Vista did very well, It took three days to hack it and then the hacker had to have someone install a third party software of the hackers choice and then go to a particular web site. pretty much a setup but it still took three days. In my book that is very respectable.:thumb:

{QUOTE-> Only because Adobe's Flash doesn't work on it? <-QUOTE}

I'm running the Adobe Flash plugin 9.0.48 installer in Firefox and it's working. It was a hassle to install (had to delete some xt?? something or other file).

{QUOTE-> I'm running the Adobe Flash plugin 9.0.48 installer in Firefox and it's working. It was a hassle to install (had to delete some xt?? something or other file). <-QUOTE}
Well, then the conclusion is that the same vulnerability probably doesn't exist on the Linux version. An Adobe flaw, not a Windows flaw, was what let the hackers finally break through.

Would it matter if the linux Flash installer has the same exploit as the Windows version, in that it would be more difficult to exploit under Linux as opposed to Windows only because of the the way linux works?

{QUOTE-> Would it matter if the linux Flash installer has the same exploit as the Windows version, in that it would be more difficult to exploit under Linux as opposed to Windows only because of the the way linux works? <-QUOTE}
And in what way would Linux work to make this flaw any less exploitable, perchance?

{QUOTE-> And in what way would Linux work to make this flaw any less exploitable, perchance? <-QUOTE}

I have no idea :-\ linux is all new to me, having used it for only a week. I'm still in very early learning mode. I've heard very little except that everything runs in a kernel and that is supposed to make it more secure than Windows?? I'm using it because it will soon be used on one of our systems at work, so i'd like to learn something about in advance :)

{QUOTE-> I have no idea :-\ [...] I've heard very little except that everything runs in a kernel and that is [/b]supposed to make it more secure than Windows[/b] <-QUOTE}
Well, there we go.

Popular myth used to have it that Macs were more secure than Windows, too.

{QUOTE-> Well, there we go.

Popular myth used to have it that Macs were more secure than Windows, too. <-QUOTE}

LOL! In the end, though, I guess it still comes down more to the individual using the system. Someone using Windows can run it as secure, or more secure, than someone using linux, or vise-versa. Until I learn more about Linux, there isn't too much I can comment on about it.

*EDIT*

sorry, just to add more. This is only speculation of course, but I figure where a Linux user could really get themselves in trouble is though careless, cavalier use of the sudo command and careless downloading through the Synaptic manager, where it is all too easy to acquire restricted (multiverse) or proprietary drivers. Just a thought.

"In the end, though, I guess it still comes down more to the individual using the system. Someone using Windows can run it as secure, or more secure, than someone using linux, or vise-versa.

Well said wat0114. This should be a sticky.

{QUOTE-> Well said wat0114. This should be a sticky. <-QUOTE}

Thanks bktII! Too bad I can't take credit for it. It was something I took from a Linux article ;D

"It was something I took from a Linux article

@wat0114

This makes it even more powerful!

{QUOTE-> This makes it even more powerful! <-QUOTE}

That suits me just fine :thumb: :)

{QUOTE-> Actually Vista did very well, It took three days to hack it and then the hacker had to have someone install a third party software of the hackers choice and then go to a particular web site. pretty much a setup but it still took three days. In my book that is very respectable.:thumb: <-QUOTE}

So, if that 3rd party sofware couldn't be installed and they hadn't gone to a particular website, they might never have gotten into Vista?

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

It's funny when any news comes out of Windows being hacked or holes found where a possible attack may occur most people I know rush to get patches, update their software or add another 37 layers of security, or at least swear a lot and jump up and down and curse MS or whoever is at fault .
So far the reaction to the outcome of this contest from most Mac aficionados that I know is to adopt the 'ostrich stance' [with several having their heads in a worse place than the sand], all dismissed it for various reasons ranging from 'meaningless to some sort of conspiracy, although there was only one person that took that line of thinking and sadly he takes that for most things. :lurking:

Well said. :thumb: :thumb:

{QUOTE-> ...So far the reaction to the outcome of this contest from most Mac aficionados that I know is to adopt the 'ostrich stance' [with several having their heads in a worse place than the sand], all dismissed it for various reasons ranging from 'meaningless to some sort of conspiracy, although there was only one person that took that line of thinking and sadly he takes that for most things. <-QUOTE}

Are you referring to this article?

http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10-reasons-why-cansecwest-targets-apple/

...and the countering:

http://www.osnews.com/story/19545/CanSecWest:_Countering_Misinformation

...and then the following update to this criticism:

http://www.roughlydrafted.com/2008/03/31/thom-holwerda-of-osnews-calls-“mac-shot-first”-misinformation-and-slander-oops/

think what an ordinary little flaw in a browser can lead to...

/C.

thanks for those links, you made my day.
these guys would give scientologists a good run for their money.

This has been a funny thread to read:
the apple fanboys go to war LOL

@BigC with respect
{QUOTE-> ...the hacker had to have someone install a third party software of the hackers choice and then go to a particular web site. pretty much a setup.. <-QUOTE} I suspect that Flash is one of the first apps installed by all the security conscious you tubers et al. :dry:

While I agree with the general thrust that (the challenge) is an bit of aalmost complete stunt and has got CAnSecWest far more publicity than they have paid for and afaics has almost no bearing on real day to day security : everybody rushes out to buy Linuux Laptops and desktops ;D : installing Flash and going to a website is hardly a rare thing: I am assuming the "typical config" included UAC; I am surprised that Flash was not part of the "typical" set-up really.

From what I can see Adobe and Apple QT have had multiple and repeated flaws exposed: really a big problem given the ubiquity of both
Anybody not have both installed ??

http://www.wilderssecurity.com/showthread.php?t=204685
{QUOTE-> working on an update to its Flash Player software that will address a widespread vulnerability found on hundreds of thousands of Web sites. <-QUOTE}
That aint a low level threat. :(

( heh the Second Life exploit for QT was a winner, lol, for those with a real life heh)

Hardly any massive spin from the Linux fora: just business as usual.
I see some of the distros have basically abandoned Flash and some even recommending strongly against it.
Roll on Gnash..
Regards

{QUOTE-> I suspect that Flash is one of the first apps installed by all the security conscious you tubers et al. :dry: <-QUOTE}
True, but I think what bigc was trying to point out was that it wasn't Vista itself that was actually compromised at all. The hackers had their best shot at it, and after they threw everything they had and still failed, the competition judges decided to give them some slack and allow third-party apps with known vulnerabilities to be installed.

Though for that record, I install Flash and a handful of other vulnerable apps on my XP machine, and I don't touch Windows Update. I sleep soundly at night, and I'll continue doing so.

{QUOTE-> I think what bigc was trying to point out was that it wasn't Vista itself that was actually compromised at all <-QUOTE}
Yeah, agree
but
it has to be connected and be able to actually do "stuff": "The Vista Experience": more than many had bargained for :dry:
Not much use as a doorstop.. hmmm..

"..we all live in a yellow internet.." ( apologies to L&McC)

is safari an integrated part of OsX ? or just happen to be resting there :shifty:

There is an interesting page here about IE8 and some other stuff: "Martian Headsets"
http://www.joelonsoftware.com/items/2008/03/17.html
http://www.joelonsoftware.com/

Regards.
PS I've edited my previous post to qualify a bit> my brain is -marginally- faster than my typing.

{QUOTE-> Yeah, agree
but
it has to be connected and be able to actually do "stuff": "The Vista Experience": more than many had bargained for :dry:
Not much use as a doorstop.. hmmm.. <-QUOTE}
So take up the issue with Adobe, who has yet to release a fix for their product's flaw. What are you harping on Microsoft for?

"..we all live in a yellow internet.." ( apologies to L&McC)

{QUOTE-> is safari an integrated part of OsX ? <-QUOTE}
I would assume so. The MacBook was broken when they had yet to introduce any third-party apps. On an interesting sidenote, this would seem to indicate that IE is more secure than Safari.

{QUOTE-> What are you harping on Microsoft for? <-QUOTE}
Not, specifically, as noted Vista and ?IE7 not hackable in the first instance...just making observation re what might most often comprise a "typical" set-up
{QUOTE-> the issue with Adobe, who has yet to release a fix for their product's flaw <-QUOTE}Add "Again..."
:thumb:
Heh: Adobe Flash as a Vista rootkit: is that what you're suggesting: back door and all via specific websites ...:)

Quote:
"I see some of the distros have basically abandoned Flash and some even recommending strongly against it.
Roll on Gnash..

If it is true that Debian (for one) has abandoned Flash, it is due to their strong position on FOSS software, not security. After all, the Linux kernel gets patched quite frequently.

For an example of an open-source security meltdown, see this:
"Linux Wins The Security Showdown! Now What?
http://www.informationweek.com/blog/main/archives/2008/03/linux_wins_the.html

Also, the Opera web browser/email client is proprietary. It is free but not open-source.

Quote:
"is safari an integrated part of OsX ? or just happen to be resting there

Safari's roots go to Konqueror, the default browser for the KDE desktop used on both Linux and BSD (as noted previously in this thread by member HURST). Here:

"Surprise: Apple's New Browser Is a Sister to Konqueror
"January 11th, 2003
http://www.linuxjournal.com/article/6565

Here is a shared vulnerability between Safari and Konqueror:

"Apple Safari / Konqueror SCRIPT tag filtering bypass
"24.01.2007
http://securityvulns.com/Hnews91.html

Based on Mac's shared heritage with BSD, it is *likely* that Safari is integrated into the OSX desktop, not the operating system. Konqueror is integrated into the KDE Desktop, not the operating system.

What if Kubuntu had been used instead of Ubuntu (or Ubuntu with the KDE Desktop installed); would they have fallen?