MacBook Air First To Be Compromised In Hacking Contest 493
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
Re:And in other news..... (Score:5, Informative)
Re:Identical articles (Score:5, Informative)
Day 2 results (Score:5, Informative)
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]
Re:right (Score:3, Informative)
Re:And, in this case, the attacker deliberately ch (Score:5, Informative)
Re:well, tFriendlyA does mention (Score:5, Informative)
Re:linky, pleasey (Score:5, Informative)
Quote from the linkey
In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.
In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:
Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low
Re:Identical articles (Score:5, Informative)
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]
Re:Contest rules... (Score:5, Informative)
Re:And, in this case, the attacker deliberately ch (Score:5, Informative)
Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.
Re:Identical articles (Score:5, Informative)
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
Comment removed (Score:5, Informative)
Re:Identical articles (Score:2, Informative)
Re:Identical articles (Score:3, Informative)
Re:I think the relevant part is: (Score:5, Informative)
Re:browse one site (Score:5, Informative)
Re:right (Score:4, Informative)
It's not a guarantee that the first to fail is the weakest, there's definite elements of chance and some complex interactions. But it was done with Safari, which is part of the default distribution of a Mac and it's not exactly easy to not use Safari for at least long enough to download Firefox.
Dell is actually starting to not suck. (Score:5, Informative)
Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.
Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.
Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.
Re:And, in this case, the attacker deliberately ch (Score:3, Informative)
While we're on the subject, guess what "dd" stands for? It's not "direct dump" or "disk destroy". It's "character copy".
Re:Users == the problem (Score:2, Informative)
Overall, you're arguing about two different things. There's security by design, and then there's secure implementation. It seems like you're claiming that an operating system that's secure by design will, somehow, have fewer implementation flaws. That's not true. Good design is there to mitigate the damage that can be done by exploiting a vulnerability, not to make vulnerabilities disappear. The presence of vulnerabilities in code does not necessarily indicate that that code is insecure by design. The scope of damage that those vulnerabilities can cause, however, is an indication of the design's security.
And I haven't actually been able to find an indication of the scope of this particular vulnerability. All I can see is that contestants had to read a "designated file", with no indication as to the access mode of that file. If it was just a regular, user-owned file, this is a pretty run-of-the-mill buffer overflow in a userland application. If it, somehow, allowed the attacker to gain root privileges, then that's a much bigger problem.
Re:Low? What's Low? (Score:3, Informative)
Why does this matter? Well, suppose you have something like the WMF vulnerability, which can be exploited if you preview the file in Windows Explorer. All a website has to do is to download the file into the sandbox and trick the victim into previewing it.
Unfortunately, the proper Biba integrity model is probably totally impractical for desktop use.
Because the prize was 10k (Score:3, Informative)
Re:Identical articles (Score:2, Informative)
Re:Owning Beauty (Score:4, Informative)