After three days of attacks by leading hackers, a laptop running Ubuntu remained untouched while two others, running Mac OS X and Windows Vista Service Pack 1, succumbed.
The attacks were launched at the CanSecWest PWN 2 OWN contest in Vancouver, Canada.
This was sponsored by security firm TippingPoint, a division of 3Com, and held March 26-28, under its Zero Day Initiative (ZDI).
ZDI is a program for rewarding security researchers for responsibly disclosing vulnerabilities.
The Gory Details
The three machines being attacked were a MacBook Air running the current version of Mac OS X, 10.5.2; a Fujitsu U810 notebook running Windows Vista Ultimate SP1; and a Sony Vaio VGN-TZ37CN running Ubuntu 7.10.
All three had the latest security patches installed.
The good news is that all three were not vulnerable to attacks over the networks on the operating systems themselves, which was what the hackers were restricted to on the first day of the contest.
The second day saw a change in the rules, with the scope of attacks widened. The hackers were allowed to attack standard default installed client-side applications such as browsers; or to trick users into opening e-mails with links leading to malware or that included malware; or to trick users into visiting Web sites either including malware or with links that led to malware.
The judges decided which installed client-side applications were standard default items.
The MacBook Air went down within minutes while the Fujitsu running Windows Vista survived into the last day before succumbing.
Charlie Miller, Jake Honoroff and Mark Daniel from Independent Security Evaluators compromised the MacBook Air by sending it to a Web site on which they had installed an exploit that took advantage of a new zero-day vulnerability in the Safari Web browser.
Shane Macaulay, Derek Callaway and Alexander Sotirov of Security Objectives compromised Windows Vista by exploiting a previously unknown flaw in the latest version of Adobe Flash.
Both Apple and Adobe have been informed of the vulnerabilities discovered.
The Back Story
Miller, who formerly worked at the National Security Agency, was one of the first people to hack the iPhone last year. He has previously criticized Apple for being slow to update the open source components in its operating system, after discovering one critical vulnerability that had been integrated into Safari although it had already been patched in WebKit, the open source code behind the Safari engine.
He said he decided to attack the Mac because he thought it would be the easiest of the three.
His opinion may be justified: two IBM researchers told a Black Hat hackers convention in Amsterdam, the Netherlands, that Mac OS X has far more unpatched vulnerabilities than Windows Vista, and that Apple was not very cooperative with security experts who told it about flaws in its operating system.
Last year, the contest’s winner took the prize by exploiting a vulnerability in Apple’s QuickTime.
The Howls of the Faithful
Apple users are in an uproar over the news of how easily OS X security was breached.
Roughly Drafted, a Mac and Apple Web site, contends that the exploits have little value outside of competitions like CanSecWest and that CanSecWest aims at redirecting the focus on security issues from Windows to other platforms.
In a white paper, Stefan Frei, Bernhard Tellenbach and Bernhard Plattner at the Computer Engineering and Networks Laboratory of the Swiss Federal Institute of Technology say that their data “does not support the common belief that software from Apple is inherently more secure than software from Microsoft.”
They say that, while the average number of unpatched vulnerabilities has stabilized for Microsoft, “Apple has bypassed Microsoft and shows an increasing trend.”
A community-developed, Linux-based operating system, Ubuntu was launched in October 2004 and includes a Web browser, presentation, document and spreadsheet software, instant messaging and other features.
It was created as a fork of the Debian GNU/Linux project. A new version of Ubuntu is released every six months and Ubuntu releases always include the most recent GNOME release.
GNOME is an international effort to build a complete desktop environment, including the graphical user interface, from free software. It is part of the GNU Project, GNU being an operating system built from free software. GNOME can be used with various Unix-like operating systems, including Linux.
Ubuntu is sponsored by Canonical, which is owned by South African entrepreneur Mark Shuttleworth.
Reactions to the Test
“Tests of this nature are sensational, but not necessarily indicative of the threat seen in an organization’s environment,” Dan Kusnetzky, principal analyst at The Kusnetzky Group, told LinuxInsider. “They might be thought of as a worst-case scenario rather than what might have been seen in an organization’s own data center.”
Nonetheless, Ubuntu “acquitted itself very well in the tests,” and is used in production in leading edge environments, Kusnetzky said. When you factor in support, the availability of trained personnel, database and application software, “Ubuntu fares as well as Red Hat or SUSE Linux,” he added.
Canonical was not surprised that Ubuntu withstood the hackers. “We do a lot of rigorous testing for security,” the firm’s Gerry Carr told LinuxInsider. “All applications shipped are thoroughly tested by our security team before they are included.”