Linux ignored, not immune, says hacker contest sponsor

People shouldn't read anything into the fact that of the three laptops set up for last week's "PWN To OWN" hack challenge, the only one left standing was running Linux, said the security expert who oversaw the contest.

"There was just no interest in Ubuntu," said Terri Forslof, manager of security response for 3Com's TippingPoint, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."

Just because the laptop -- a Sony running the Ubuntu 7.10 distribution of Linux -- had been untouched doesn't mean that the operating system is any more secure than either Mac OS X or Windows Vista, both which fell to attacks.

"It was actually a lack of interest" on the part of the PWN To OWN contestants, Forslof said. "Shane's [Macauley] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows," she continued.

"Linux, it is what it is. The code is a lot more transparent. But vulnerabilities for Mac and Windows, those are the ones that are going to get the press."

Of the three notebooks, the first to go down was a MacBook Air, which was hacked last Thursday, the second day of the three-day challenge, by Charlie Miller using a zero-day vulnerability in Safari. Friday, Macauley breached a Windows Vista SP1-powered Fujitsu using a flaw in Adobe's Flash.

In both cases, the vulnerabilities were exchanged for cash prizes -- US$10,000 for Miller, half that for Macauley -- and acquired by TippingPoint's bug bounty program, Zero Day Initiative (ZDI). The bugs have been reported to Apple and Adobe Systems, respectively, so that the vulnerabilities can be closed.

By design, PWN To OWN's first day was reserved for exploits of remote code vulnerabilities on the operating systems themselves. No one managed to crack a computer that day. Instead, it wasn't until the notebooks' attack exposure was expanded -- first to any client-side application installed by default with the operating system, then to a larger group of third-party applications added to the machines -- that the MacBook Air and Fujitsu dropped.

"I really wasn't expecting anything that first day," Forslof said. Not only are vulnerabilities meeting PWN To OWN's first day criteria harder to find and harder to exploit, but they're probably worth a lot more than the US$20,000 TippingPoint offered that day, Forslof said. "We're talking about a worm-class issue here," she said.

"What a contest like this does show," Forslof said, "is that vulnerabilities are definitely moving up the stack."

That trend, from attacking the operating system to attacking applications, particularly those installed on desktop clients, has been building for months. The vast majority of vulnerabilities found, and when found then exploited, are now in client-side applications such as Internet Explorer, Microsoft Word, Firefox, Adobe Reader and others.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?