I'll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven't gotten around to it.

Before I do that, though, let's talk about the "Pwn To Own" contest, which turned out to be interesting. Here's the premise. Dragos purchased two MacBook laptops and challenged the conference attendees to hack them, with the prize being, naturally, the laptops themselves. The 15" MacBook could be claimed by compromising an unprivileged user while the 17" edition would require root compromise. An unexpected development was that TippingPoint decided to sweeten the pot, adding a $10K cash bonus to the reward.

The contest officially started around noon PST on Thursday, with the caveat that if nobody had hacked them within the first 24 hours, they would be configured to periodically scrape web pages, thereby increasing the attack surface to include client-side attacks. Of course, both MacBooks had all the relevant security patches applied, including about 20+ updates that Apple (coincidentally?) released Thursday morning.

Friday noon rolled around and they still hadn't been claimed, so as promised, Dragos and crew set up an e-mail address to which people could send URLs that would be visited from the target machines using Safari. Well, I don't know exactly what time the compromise happened, but a couple hours later I ran into Shane Macaulay who told me he'd already won the MacBook, with some help from Dino Dai Zovi. When I asked him what the vuln was, all he'd say is that it was a Safari client-side attack, and said to ask Dino for more details.

The exact details aren't public yet, but your best bet is to refresh Matasano's blog entry or TippingPoint's ZDI Upcoming Advisories page. In the meantime, word on the street is that if you're using a Mac, you should disable Java -- oh, and by the way, this affects Firefox as well as Safari. In other words, sounds like a Java Runtime vuln as opposed to a browser issue. Here's the best part: This wasn't a zero-day that Dino had been sitting on, waiting for the right moment to release. Nope, he discovered the vulnerability and wrote the exploit the night before. In the Matasano blog comments, he claims he got lucky, but having worked with Dino in the past, I think he's just being modest.

Now Microsoft has had plenty of high-profile security breaches, no hiding from that. But what are the chances that someone could have discovered and reliably exploited a 0day in Vista (or even XP or Server 2003), start to finish, in a single evening?

Meanwhile, if you'd like to read some more well-informed and passionate diatribes on Mac punditry, I'll point you to our friends over at Matasano, who take delight in exposing the bloggers and journalists who treat OSX as the panacea of secure computing. Smart writing, and entertaining to boot!

[Update: Windows users, if you have QuickTime installed, uninstall it, or disable Java. Thanks a lot Apple!]

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.