Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

The Truth is, Everyone is a Target

It has been a common refrain of Information Security professionals that security by obscurity is no security at all, and that when a technology or platform becomes popular enough through use it will also come under increased focus of attackers. The underlying premise is that most technology is more or less vulnerable to the same extent. This is a fairly reasonable assumption to make, given that developers aren't trained in isolation from each other, the industry works towards certain sets of commonly accepted practices, and developers are human and make mistakes just like anyone else.

After running a competition to compromise an OS X system at the 2007 CanSecWest conference (the PWN 2 OWN competition that saw $10,000 given to a participant that used a client-side QuickTime flaw to bind a remote shell), this year's competition was slightly different. Three systems, a fully patched Vista laptop, a fully patched MacBook Air, and a fully patched Ubuntu 7.10 laptop were set up and attendees were invited to compromise any of them through the use of a local wired connection (wireless compromises would be tested offsite). The first day, where $20,000 per system was on offer, for anyone who could compromise a base system with no additional user applications running saw no result, but when user-space applications (browsers, mail applications, IM clients) were introduced, there was a winner (day 2 was user-space applications supplied with the system, while day 3 was some common third party applications). When the MacBook Air was compromised on the second day, the successful attack team gained $10,000 and the target laptop, and on the final day a team successfully compromised the Vista laptop through Adobe Flash (winning the laptop and $5,000).

While the ethics of selling vulnerabilities is an old argument (at least in this instance it appears that the vulnerabilities were immediately handed to the affected vendors) what the competition shows is that the base systems of the three main desktop operating systems are actually quite secure against arbitrary attack. This is an incredible improvement over systems like Windows XP (especially pre-SP2), where a user's system was likely to be compromised before they could download and install all patches and updates from their vendor. With the successful attacks against the laptops coming from vulnerabilities in Safari and Flash, it isn't all that surprising. There are a number of unacknowledged vulnerabilities that exist for both products, and with their recent patching history there are several places within their codebases where a critical vulnerability is more likely to reside. It will be interesting to see whether both vulnerabilities are cross-platform and whether the Safari vulnerability is actually a vulnerability with core system elements (such as image or media processing). At least two other Flash 0-day vulnerabilities have been hinted at by another researcher, though it may be some time before those vulnerabilities are made public.

29 March 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.