CanSecWest's Pwn2Own 2008 contest had heavy coverage in the past days, so I will recap rules and results very quickly.

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

    Competition started on March 26th, and was meant to last 3 days with decreasing difficulty level:

    1. Bare OS, no extra application
      No laptop got hacked
    2. Applications bundled with the OS (e.g. web browser)
      Mac OS X got pwned through a Safari vulnerability
    3. 3rd party popular applications
      Vista fell down because of a Flash vulnerability reportedly exploited through a Java vector

    Needless to say, after day 2 titles were slight variations on the "Mac OS X Hacked First" theme, while last day the song changed into "Vista Breached, Linux Unbeaten", casting the event into a security contest among OSes.
    While I'm very happy to see a free (as in beer and as in speech) software being depicted by media coverage as the best choice (security wise) over two commercial alternatives, I think that Nathan Mc Feters, even as biased toward Microsoft as he sounds recently, offers a rather objective report:

    1. None of the 3 OSes could be violated 1st day, when pure OS security was tested
    2. Mac OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative core
    3. Vista was hacked because, notwithstanding all its security enhancements, ubiquitous 3rd party software can work around them and make a relatively safe OS exploitable

    Now some simple considerations:

    • Safari is a web browser
    • Flash and Java are browser-hosted tecnologies, and they're both cross-platform: in facts, according to Shane Macaulay who won the Vista laptop, the vulnerabilities he found "could affect Linux or Mac OS X" too
    • The browser appears to be the weakest spot in PC security, no matter the OS, while it's probably the single most used application

    Corollary: whatever OS you prefer, never browse the web without NoScript :)

    2 Responses to “Pwn2Own, the Winner is... NoScript!”

    1. #1 Ubuntu resistió… pero que no se nos suban los humos says:

      [...] todos los que nos gusta Gnu/Linux y el Free Software, pero tal como ya comentaron en otro sitio el ganador en realidad es NoScript. Si han leido con detalle las noticias se habrán enterado que los dos fueron derrotados mediante [...]

    2. #2 PWN to OWN Reading « Iqag Notes says:

      [...] Planet Websecurity (links to original blogs): 1, 2 (the real winner? NoScript!), 3 (is a Flash flaw Microsoft’s fault? Would it work [...]

    Bad Behavior has blocked 927 access attempts in the last 7 days.