I'm sure many of you have heard of the PWN to OWN contest... or maybe not. The basic premise is that three laptops running in a default but fully patched configuration, each with a different OS (Mac OS, Vista, Ubuntu), are connected to a network. Hackers then attempt to takeover these machines remotely. If they succeed, they keep the laptop and win $10,000 for their efforts.

The rules for the contest are that the exploit must take advantage of a 0-day exploit (one that is unknown to the general security community and to the software vendors), and it must be used to read a file on the disk. They are a bit light on the details, but one has to assume that the file is readable by the user logged into the machine at the time of the hack. This point becomes very important later in my post.

I spent much of yesterday e-mailing my favorite Mac fanboys and gleefully telling them that the Mac had been hacked first. While none of the laptops could be compromised remotely without user action, the people running the contest allowed for "luring" attacks where users on the laptops were encouraged to open e-mails, visit web sites, etc.

The Mac was brought down by Safari, Apple's web browser, which is the default and most popular web browser on the Mac.

I awoke this morning to find that the Vista machine was next to fall. This was surprising, as I was pretty confident that Vista would survive all the attempts against it... partly because I didn't read the full contest rules. Apparently, popular 3rd party apps were happily installed on the machine.

While I don't have the details of the hack (because they didn't provide them), I have to assume that it was a 3rd party app that allow for the Vista machine to be compromised. Why? Well, because the details given of the hack point all fingers at Firefox.
(UPDATE: This might not be true, see updates at the end of the post.)

Technically, it was Flash that allowed the Vista machine to be compromised. Some unknown exploit in Flash (probably a buffer overflow) allowed the hacker to read the file in question. But wait... IE 7 on Vista has a great feature called Protected Mode. Protected Mode basically boils down to IE running as an extremely low-rights users. If there is a bug in IE, or a bug in a plugin (like flash) running within IE, it will only have the privileges of that low rights user. In other words, it can't do basically anything, much less read one of the user's files.

The announcement that the Vista machine was compromised specifically stated that it was a bug in Flash that was exploited. In order for this to be possible, and for it to have taken place while the user was running IE, they must also have had a 0-day privilege elevation exploit for Windows. Since they didn't say that (and I'm sure they would have, if it was the case), we must conclude that Flash was not running in IE.

So what was it running it? Well, the 2nd most popular browser on Windows is Firefox. Firefox has no protected mode, so any exploits in it, or in any of the plugins that it runs, would have the rights of the logged in user. The fact that it was Firefox is incidental, as it could have been any other browser (aside from IE). Indeed, the fact it was a browser at all is also incidental. Virtually all applications that a user runs are run with the security privileges of that user. The only exceptions to this are managed frameworks (Java, .NET), and IE 7 on Vista.

So how, exactly, does this say anything about Vista security? In the case of the Mac, it was the default browser (written by Apple) that allowed the compromise. On Vista, it was almost certainly a 3rd party browser that is decidedly less secure than the default browser. The exact same hack could have occurred on any OS in exactly the same way.

Indeed, Protected Mode is unique to IE on Vista. It is a security innovation that does not exist on any other OS or any other browser. Microsoft identified IE has the primary attack vector for Windows, and invented a new security technology to defend against those attacks, even without knowing what they were going to be. It is a huge advantage to Vista... and one that apparently was handicapped, intentionally or not, to allow for Vista to be taken down before Ubuntu.

The goal of this contest was not to see which OS or vendor was more secure. (Although one can comfortably conclude that Apple got its butt handed to it.) So in that sense, the contest was a success. But many people will now conclude that Ubuntu is more secure than Vista, and this conclusion is absolutely not supported by what happened.

Update (3/29/2008 1:20 PM): A commenter on Slashdot suggests that Flash actually subverts Protected Mode by using its own brokering process. This allows the low-rights Flash plugin to make calls to a user-rights service which then performs user-level actions such as writing to files. If this is true, it makes me incredibly mad at Adobe. Instead of playing by the rules, they subverted them, and thereby exposed people to potential danger. If I could uninstall Flash, I would... but thanks to their virtual monopoly on a lot of web content, that's really not an option.

Update (3/29/2008 1:35 PM): The Slashdot commenter helpfully provided me with a blog post by the IE team in which commenters discuss ways to circumvent Protected Mode. One of them is indeed Flash, which uses the aforementioned brokering process. So now we're left with two distinct possibilities: either Firefox or some other non-Protected Mode browser was used, or there is an exploit in the brokering functionality of Flash. I think either is completely plausible. Regardless, I think my points still stand regarding how it's not fair to use this to condemn Vista security.

A little more than a year ago I made a prediction that I'm sure many people called crazy. I predicted that Firefox would, slowly but surely, become a less safe way to browse the web than Internet Explorer.

Well, it appears that my prediction may have been correct. According to an analysis by Microsoft's Jeff Jones, the number of vulnerabilities in Firefox was more than double those discovered in Internet Explorer.

Not only that, but the vulnerabilities that were discovered were, in general, worse for Firefox than that were for IE. In other words, there were a greater number of "critical" vulnerabilities in Firefox than in IE, as well as a greater number of "important" vulnerabilities.

I know many of you are immediately dismissing this analysis because it came from a Microsoft employee, but the report is based off public data. It's really just an aggregation of information that was published by non-Microsoft sources. Plus, many of you would dismiss it almost regardless of where it came from.

You're probably also thinking that Microsoft is hiding vulnerabilities from the public or patching them silently, a tactic that would be almost impossible for the open source Firefox. But you would be making unsupported assertions that I've already addressed.

Now, I can't really say that my prediction has come true. I actually predicted the attacks on Firefox would increase as IE7 on Vista started to gain market share. IE7 on Vista has indeed started to gain market share, and at the same time we've been seeing a dramatic increase in the number of exploits discovered in Firefox. This, of course, doesn't show a causal relationship.

While Firefox's market share gains have basically stopped, it does hold a solid 10%+. This means that security researchers are more interested in it, and therefore will look at it more closely. This could explain the huge increase in discovered vulnerabilities.

Regardless, it seems clear now that Firefox is not as secure as everybody thought. It is now a viable and almost certainly popular attack vector for bad guys.

IE7 on Vista, meanwhile, has not had a single remotely exploitable hole that could cause a security breach. There has been at least one DoS attack (crashed the browser), but nobody has defeated Protected Mode yet. IE7 on Vista has been on the market for over a year now, and it hasn't been cracked.

I'd say that's pretty damn strong evidence that the safest way to browse the web is no longer Firefox.

 I have a prediction.

I predict that when IE 7 on Vista starts to take significant market share (say, 30% or so), you'll start to see the attacks on Firefox increase dramatically. In other words, Firefox will become more and more dangerous to use as IE 7 on Vista gains market share.

I use Firefox because of what basically amounts to security through obscurity. Many people claim that Firefox is simply written better than IE and that is why it seems to have fewer security related incidents.

Indeed, Firefox at least seems to be more secure, having only 36 security related issues discovered since 2003, many of which were not particularly critical. (Versus a whopping 106 vulnerabilities for IE 6.x, many of which were critical.)

But that doesn't really tell you the whole story. The fact of the matter is that Internet Explorer is the best way to attack the largest number of computers. It's the single biggest attack vector into a Windows machine. The bad guys who want to install malware on the largest number of computers possible are going to target the OS with the most users (Windows) and the browser of choice for those users is still overwhelmingly IE 6.

It has long been my opinion that the more popular and widely used a piece of software, the more people are going to attack it for both glory and monetary gain. But every once in a while a technology will emerge that will essentially remove a particular attack vector from being feasible.

When Microsoft released XP SP2, the changes it made to ActiveX installation were enough, for the most part, to remove an entire genre of social engineering attacks by forcing the user to do just a few extra steps to install an ActiveX control. Of course this had little affect on the spread of malware. Malware distributors just started using buffer overflows and other types of exploits to install their software.

But IE 7 on Vista is different. For the first time a browser will run all the time with privileges  far below that of the current user. It's called Protected Mode IE. IE will not even have the ability to write to places that the current user can write to, such as the desktop or My Documents folder. Instead, and actions which required elevated privileges will have to be done through something like the Service Broker. The Service Broker is a small (only a few thousand lines of code) application that runs with the privileges of the logged in user and takes "requests" from IE to do things like saves files to the desktop.

The result is that you really only have to audit a small piece of code to guarantee that IE 7 can't do anything bad, regardless of the vulnerability in question. Buffer overflows won't have any affect on the user because even with that overflow, IE 7 doesn't have permissions to do anything bad.

This technique has already proven itself successful. Despite the fact that a recent vulnerability in the VML rendering engine was present in IE 7, a vulnerability that was completely unknown to the IE 7 team, it had no affect on users running IE 7 on Vista thanks to protected mode.

But once the malware distributors see a decline in their successful installations due to Protected Mode IE 7, they will want to make it up somehow. The obvious choice is to attack the guy who has 2nd place in the market share battle. Guess who that is.

So while dramatically improving Windows security by removing the primary attack vector, Microsoft will have made Firefox far more dangerous a browser to use.

Just my opinion. Only time will tell if I'm right.