I'll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven't gotten around to it.
Before I do that, though, let's talk about the "Pwn To Own" contest, which turned out to be interesting. Here's the premise. Dragos purchased two MacBook laptops and challenged the conference attendees to hack them, with the prize being, naturally, the laptops themselves. The 15" MacBook could be claimed by compromising an unprivileged user while the 17" edition would require root compromise. An unexpected development was that TippingPoint decided to sweeten the pot, adding a $10K cash bonus to the reward.
The contest officially started around noon PST on Thursday, with the caveat that if nobody had hacked them within the first 24 hours, they would be configured to periodically scrape web pages, thereby increasing the attack surface to include client-side attacks. Of course, both MacBooks had all the relevant security patches applied, including about 20+ updates that Apple (coincidentally?) released Thursday morning.
Friday noon rolled around and they still hadn't been claimed, so as promised, Dragos and crew set up an e-mail address to which people could send URLs that would be visited from the target machines using Safari. Well, I don't know exactly what time the compromise happened, but a couple hours later I ran into Shane Macaulay who told me he'd already won the MacBook, with some help from Dino Dai Zovi. When I asked him what the vuln was, all he'd say is that it was a Safari client-side attack, and said to ask Dino for more details.
The exact details aren't public yet, but your best bet is to refresh Matasano's blog entry or TippingPoint's ZDI Upcoming Advisories page. In the meantime, word on the street is that if you're using a Mac, you should disable Java -- oh, and by the way, this affects Firefox as well as Safari. In other words, sounds like a Java Runtime vuln as opposed to a browser issue. Here's the best part: This wasn't a zero-day that Dino had been sitting on, waiting for the right moment to release. Nope, he discovered the vulnerability and wrote the exploit the night before. In the Matasano blog comments, he claims he got lucky, but having worked with Dino in the past, I think he's just being modest.
Now Microsoft has had plenty of high-profile security breaches, no hiding from that. But what are the chances that someone could have discovered and reliably exploited a 0day in Vista (or even XP or Server 2003), start to finish, in a single evening?
Meanwhile, if you'd like to read some more well-informed and passionate diatribes on Mac punditry, I'll point you to our friends over at Matasano, who take delight in exposing the bloggers and journalists who treat OSX as the panacea of secure computing. Smart writing, and entertaining to boot!
[Update: Windows users, if you have QuickTime installed, uninstall it, or disable Java. Thanks a lot Apple!]