Flash flaw leads to Vista laptop's fall

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.

Advertisement

Print feature brought to you by Adobe

Talkback 3 comments

    linux still standing Anonymous -- 01/04/08

    Quote: "laptop running Ubuntu (linux) remained unscathed at the end of the conference."

    'nuff said - ubuntu is free and you have numerous organisations throwing God knows how much money away on Windows XP/Vista which, even when "full patched" can still get pwned!

    Install external app == pwnded?? Anonymous -- 01/04/08 (in reply to #320098955)

    Why not install a "popular" virus to start with - how is the lack of security in Quicktime & Adobe attributed to Windows ?!?!

    Takes me back to the iPods shipping a "free windows virus" (http://www.pcworld.com/article/id,127565-c,mp3players/article.html) and how this got labelled as an OS fault.

    As for ubuntu - guess getting flash to work was not considered a "popular" process, looks easy enough for any end user though http://ubuntuforums.org/showthread.php?t=636397 ;)
    Ok, maybe not as easy as on Apple/Windows - but if you got ubuntu installed in the first place.

    Ubuntu also needs patching Anonymous -- 01/04/08

    A 7 day hole exists within 7.10 - the version installed for the contest (http://www.linuxsecurity.com/content/view/135695/), and this would have been sufficient for the "day 2" attack but I assume it was not exploited as it is a "known issue". Given that the adobe hole is also known I am not sure why the 3rd party install was allowed - perhaps to get this level of press?

    I just hope no "money away" is given to any one eyed experts who think patching a system alone is enough.

Add your opinion

Latest Videos

Blogs

  • Darren Greenwood Telecom NZ savings damage prospects
    If Telecom NZ wants to have any of the NZ$1.5 billion the government intends to spend on its new broadband network, it had better think long and hard before offshoring 1500 jobs.
  • Array iiNet: The whys and what nows
    Last week the Federal Court ruled that internet service providers are not responsible for copyright violation by their customers. This is an important decision not just for iiNet, which spent around $4 million defending the case, but for all ISPs in Australia and, indeed, globally.
  • Array Govt, hurry up with releasing data
    A programmer scraped data from the My School website to make some really cool heat maps showing regions of smart schools — no thanks to the government, which didn't supply the data in any useful kind of format.
  • More blogs »

Tags

  1. 104 articles are tagged with acma
  2. 60 articles are tagged with afact
  3. 1291 articles are tagged with apple
  4. 525 articles are tagged with australia
  5. 1325 articles are tagged with broadband
  6. 89 articles are tagged with censorship
  7. 210 articles are tagged with china
  8. 686 articles are tagged with cio
  9. 296 articles are tagged with conroy
  10. 145 articles are tagged with contract
  11. 399 articles are tagged with copyright
  12. 18 articles are tagged with court case
  13. 13 articles are tagged with cowdroy
  14. 142 articles are tagged with defence
  15. 114 articles are tagged with filter
  16. 1064 articles are tagged with google
  17. 21 articles are tagged with govt
  18. 1317 articles are tagged with ibm
  19. 248 articles are tagged with iinet
  20. 12 articles are tagged with iitrial
  21. 6 articles are tagged with ipad
  22. 746 articles are tagged with jobs
  23. 8 articles are tagged with judgement
  24. 403 articles are tagged with laptop
  25. 12 articles are tagged with microsoft
  26. 1140 articles are tagged with mobile
  27. 366 articles are tagged with mobile phone
  28. 244 articles are tagged with national broadband network
  29. 444 articles are tagged with nbn
  30. 22 articles are tagged with nbn co
  31. 225 articles are tagged with new zealand
  32. 208 articles are tagged with nsw
  33. 905 articles are tagged with optus
  34. 32 articles are tagged with parliament
  35. 333 articles are tagged with piracy
  36. 160 articles are tagged with police
  37. 2664 articles are tagged with security
  38. 616 articles are tagged with server
  39. 68 articles are tagged with south australia
  40. 195 articles are tagged with stephen conroy
  41. 733 articles are tagged with storage
  42. 134 articles are tagged with tasmania
  43. 74 articles are tagged with telecom nz
  44. 2493 articles are tagged with telstra
  45. 147 articles are tagged with tender
  46. 66 articles are tagged with trial
  47. 193 articles are tagged with victoria
  48. 6 articles are tagged with whole-of-government
  49. 980 articles are tagged with wireless
  50. 18 articles are tagged with xt

Back to top

Featured