I'm sure many of you have heard of the PWN to OWN contest... or maybe not. The basic premise is that three laptops running in a default but fully patched configuration, each with a different OS (Mac OS, Vista, Ubuntu), are connected to a network. Hackers then attempt to takeover these machines remotely. If they succeed, they keep the laptop and win $10,000 for their efforts.
The rules for the contest are that the exploit must take advantage of a 0-day exploit (one that is unknown to the general security community and to the software vendors), and it must be used to read a file on the disk. They are a bit light on the details, but one has to assume that the file is readable by the user logged into the machine at the time of the hack. This point becomes very important later in my post.
I spent much of yesterday e-mailing my favorite Mac fanboys and gleefully telling them that the Mac had been hacked first. While none of the laptops could be compromised remotely without user action, the people running the contest allowed for "luring" attacks where users on the laptops were encouraged to open e-mails, visit web sites, etc.
The Mac was brought down by Safari, Apple's web browser, which is the default and most popular web browser on the Mac.
I awoke this morning to find that the Vista machine was next to fall. This was surprising, as I was pretty confident that Vista would survive all the attempts against it... partly because I didn't read the full contest rules. Apparently, popular 3rd party apps were happily installed on the machine.
While I don't have the details of the hack (because they didn't provide them), I have to assume that it was a 3rd party app that allow for the Vista machine to be compromised. Why? Well, because the details given of the hack point all fingers at Firefox.
(UPDATE: This might not be true, see updates at the end of the post.)
Technically, it was Flash that allowed the Vista machine to be compromised. Some unknown exploit in Flash (probably a buffer overflow) allowed the hacker to read the file in question. But wait... IE 7 on Vista has a great feature called Protected Mode. Protected Mode basically boils down to IE running as an extremely low-rights users. If there is a bug in IE, or a bug in a plugin (like flash) running within IE, it will only have the privileges of that low rights user. In other words, it can't do basically anything, much less read one of the user's files.
The announcement that the Vista machine was compromised specifically stated that it was a bug in Flash that was exploited. In order for this to be possible, and for it to have taken place while the user was running IE, they must also have had a 0-day privilege elevation exploit for Windows. Since they didn't say that (and I'm sure they would have, if it was the case), we must conclude that Flash was not running in IE.
So what was it running it? Well, the 2nd most popular browser on Windows is Firefox. Firefox has no protected mode, so any exploits in it, or in any of the plugins that it runs, would have the rights of the logged in user. The fact that it was Firefox is incidental, as it could have been any other browser (aside from IE). Indeed, the fact it was a browser at all is also incidental. Virtually all applications that a user runs are run with the security privileges of that user. The only exceptions to this are managed frameworks (Java, .NET), and IE 7 on Vista.
So how, exactly, does this say anything about Vista security? In the case of the Mac, it was the default browser (written by Apple) that allowed the compromise. On Vista, it was almost certainly a 3rd party browser that is decidedly less secure than the default browser. The exact same hack could have occurred on any OS in exactly the same way.
Indeed, Protected Mode is unique to IE on Vista. It is a security innovation that does not exist on any other OS or any other browser. Microsoft identified IE has the primary attack vector for Windows, and invented a new security technology to defend against those attacks, even without knowing what they were going to be. It is a huge advantage to Vista... and one that apparently was handicapped, intentionally or not, to allow for Vista to be taken down before Ubuntu.
The goal of this contest was not to see which OS or vendor was more secure. (Although one can comfortably conclude that Apple got its butt handed to it.) So in that sense, the contest was a success. But many people will now conclude that Ubuntu is more secure than Vista, and this conclusion is absolutely not supported by what happened.
Update (3/29/2008 1:20 PM): A commenter on Slashdot suggests that Flash actually subverts Protected Mode by using its own brokering process. This allows the low-rights Flash plugin to make calls to a user-rights service which then performs user-level actions such as writing to files. If this is true, it makes me incredibly mad at Adobe. Instead of playing by the rules, they subverted them, and thereby exposed people to potential danger. If I could uninstall Flash, I would... but thanks to their virtual monopoly on a lot of web content, that's really not an option.
Update (3/29/2008 1:35 PM): The Slashdot commenter helpfully provided me with a blog post by the IE team in which commenters discuss ways to circumvent Protected Mode. One of them is indeed Flash, which uses the aforementioned brokering process. So now we're left with two distinct possibilities: either Firefox or some other non-Protected Mode browser was used, or there is an exploit in the brokering functionality of Flash. I think either is completely plausible. Regardless, I think my points still stand regarding how it's not fair to use this to condemn Vista security.