Hacker contest - Linux vs Mac vs Vista

http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2008
http://dvlabs.tippingpoint.com/blog...e-have-our-first-official-winner-with-picture

1. day - allowed an attack at system services only.
2. day - an attack via an infected URL webpage.

1. looser - MacBook Air exploited via a brand new 0day vulnerability in Apple's Safari web browser. The contest continues with Ubuntu 7.10 & Vista Ultimate SP1.

 

http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

"Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope.

So did they install Safari on Windows Vista today?

[ Oops - Mac OSX and Safari 3.0 for Windows (no Linux version) Thx wat0114! ]

 

Does Safari even have a version for Linux? I haven't seen one. It is an interesting contest and looking forward to the final results

 

I heard that Safari is based on KDE's konqueror, so that could be a "linux version"

 

You are right. A little digging and it is indeed called Konquerer, at least for Linux.

 

on day two it only took two minutes to hack the Mac airbook. that is pretty quick

 

A little more digging. Where there is a will, there is a way:

http://www.ubuntu-unleashed.com/2008/03/howto-install-safari-on-ubuntu-with.html

"Howto: Install Safari on Ubuntu with Flash and Shockwave! (Hulu, Youtube, Shockwave Works!) March 21, 2008
"Ok ive been browser hunting and seen a lot of hype about Safari browser's speed so I decided to give it a whirl, I managed to get it install with Flash and it works very well with youtube and hulu ! Here is how I got it installed, let me know how it goes if you decide to check it out!

http://www.howtoforge.com/installing-safari-on-ubuntu7.10-with-playonlinux

"Installing Apple's Safari Browser On Ubuntu 7.10 With PlayOnLinux 01/18/2008
"This guide explains how you can install Apple's Safari browser on Ubuntu 7.10. As there is no Linux version of Safari, we will run it under Wine. We will use a tool called PlayOnLinux to install Safari under Wine.

 

I'll just stick with FF. All those terminal commands look a bit intimidating to me, and I'm just too new to Linux to dive into all that right now

Getting Flash to work in FF was a PITA. Thank goodness for Google and the answers I found to help me get it installed and working.

 

Ubuntu wins!

 

Only because Adobe's Flash doesn't work on it?

 

This is cheating just a little as I am not running Ubuntu 7.10 on my laptop, but I am posting from Safari v3.1 running on Debian Etch stable via wine.

I happened to have wine on this Debian install. I downloaded and installed mstcorefonts (a Debian package) from the Debian repository and Safari from Apple's web site.

The Safari UI has a few glitches (mainly the menu bar text, no spaces between FileEditViewHistory...), but is very usable.

 

Actually Vista did very well, It took three days to hack it and then the hacker had to have someone install a third party software of the hackers choice and then go to a particular web site. pretty much a setup but it still took three days. In my book that is very respectable.

 

I'm running the Adobe Flash plugin 9.0.48 installer in Firefox and it's working. It was a hassle to install (had to delete some xt?? something or other file).

 

Well, then the conclusion is that the same vulnerability probably doesn't exist on the Linux version. An Adobe flaw, not a Windows flaw, was what let the hackers finally break through.

 

Would it matter if the linux Flash installer has the same exploit as the Windows version, in that it would be more difficult to exploit under Linux as opposed to Windows only because of the the way linux works?

 

And in what way would Linux work to make this flaw any less exploitable, perchance?

 

I have no idea linux is all new to me, having used it for only a week. I'm still in very early learning mode. I've heard very little except that everything runs in a kernel and that is supposed to make it more secure than Windows?? I'm using it because it will soon be used on one of our systems at work, so i'd like to learn something about in advance

 

Well, there we go.

Popular myth used to have it that Macs were more secure than Windows, too.

 

LOL! In the end, though, I guess it still comes down more to the individual using the system. Someone using Windows can run it as secure, or more secure, than someone using linux, or vise-versa. Until I learn more about Linux, there isn't too much I can comment on about it.

*EDIT*

sorry, just to add more. This is only speculation of course, but I figure where a Linux user could really get themselves in trouble is though careless, cavalier use of the sudo command and careless downloading through the Synaptic manager, where it is all too easy to acquire restricted (multiverse) or proprietary drivers. Just a thought.

 

"In the end, though, I guess it still comes down more to the individual using the system. Someone using Windows can run it as secure, or more secure, than someone using linux, or vise-versa.

Well said wat0114. This should be a sticky.

 

Thanks bktII! Too bad I can't take credit for it. It was something I took from a Linux article

 

"It was something I took from a Linux article

@wat0114

This makes it even more powerful!

 

That suits me just fine

 

So, if that 3rd party sofware couldn't be installed and they hadn't gone to a particular website, they might never have gotten into Vista?

 

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up