Flash flaw leads to Vista laptop's fall

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.

• Related stories

• Alerts

Add your opinion

1. linux still standing Anonymous -- 01/04/08

   Quote: "laptop running Ubuntu (linux) remained unscathed at the end of the conference."
   
   'nuff said - ubuntu is free and you have numerous organisations throwing God knows how much money away on Windows XP/Vista which, even when "full patched" can still get pwned!

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. Install external app == pwnded?? Anonymous -- 01/04/08

      Why not install a "popular" virus to start with - how is the lack of security in Quicktime & Adobe attributed to Windows ?!?!
      
      Takes me back to the iPods shipping a "free windows virus" (http://www.pcworld.com/article/id,127565-c,mp3players/article.html) and how this got labelled as an OS fault.
      
      As for ubuntu - guess getting flash to work was not considered a "popular" process, looks easy enough for any end user though http://ubuntuforums.org/showthread.php?t=636397 ;)
      Ok, maybe not as easy as on Apple/Windows - but if you got ubuntu installed in the first place.

      • Reply to comment
      • Report offensive content

2. Ubuntu also needs patching Anonymous -- 01/04/08

   A 7 day hole exists within 7.10 - the version installed for the contest (http://www.linuxsecurity.com/content/view/135695/), and this would have been sufficient for the "day 2" attack but I assume it was not exploited as it is a "known issue". Given that the adobe hole is also known I am not sure why the 3rd party install was allowed - perhaps to get this level of press?
   
   I just hope no "money away" is given to any one eyed experts who think patching a system alone is enough.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials