Vista, Mac Hacked in Pwn2Own Contest

This year CanSecWest, an annual security conference held in Vancouver, Canada, sponsored a security contest called "Pwn2Own" (pronounced p-own to own). The targets for this year's security specialists were three fully patched systems that included:

• A Sony Vaio VGN-TZ37CN running Ubuntu 7.10
• A Fujitsu U810 running Microsoft's Vista Ultimate with Service Pack 1 installed
• A fully patched and updated version of Mac's OSX running on a new MacBook Air.

A successful attack on any of the three came with a cash prize and the successful team got to keep the hacked machine.

The difficulty of the challenge changed over the course of the three day contest. On the first day the contestants were allowed to attack only the default installation of the operating system over a network. Starting on the second day of the contest the competitors were allowed to make attacks on the target systems by exploiting vulnerabilities in Internet browsers and email. The third and final day of the contest the competitors were allowed to make attacks on the target systems through any popular third-party application.

None of the competitors were able to successfully attack any of the three target systems on the first day. Indeed, according this article on The Register, none of the hackers even attempted to assault the systems on day one.

Of interest to the general Internet and computing community is that the first system to fall was the MacBook, which was running a fully patched version of the latest release of OS X (Leopard). Contestant Charlie Miller was able to bring down Apple's entry to the Pwn2Own contest in two minutes by exploiting a vulnerability in the Safari web browser. Miller took home both the MacBook Air and a $10,000 cash prize.

The target machine running Vista was the next machine to fall. It came down on the third day of the contest when Shane MaCaulay exploited a vulnerability in Adobe's Flash. No one was able to make a successful attack on the target machine running Ubuntu. MaCaulay went home with the Vaio and a cash prize of $5,000.

Does this mean that Mac, and more specifically Safari, is actually the most vulnerable machine out there? Does it mean that Linux, and specifically Ubuntu, is actually the most secure operating system? No, on both counts. It is important to remember that tests such as this are a necessary part of uncovering potentially threatening vulnerabilities. It is also important to note that malware threats such as those used by the competitors are commonplace on the Internet. No system, regardless of operating system, is invulnerable to attack. The best way to protect your sensitive information is to practice common sense in your browsing and email habits, and to keep your anti-virus and anti-spy programs up to date. Back up your data often and avoid opening email messages if you're uncertain of the source. These few simple tactics will help prevent your system from falling to malicious hackers.