Threaded Mode | Linear Mode

S7* · 29/03/2008 09:41 AM

Quote:The third and final day of the PWN to OWN contest at the CanSecWest security conference begins today, March 28th at 12:30pm local time (PST) in Vancouver.  Yesterday, on day two of the contest, the MacBook Air was successfully compromised first and won by a team from Independent Security Evaluators, also winning $10,000 from us (the Zero Day Initiative).

As of today, since the Vista and Ubuntu laptops are still standing unscathed, wee are now opening up the scope beyond just default installed applications on those laptops; any popular 3rd party application (as deemed "popular" by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise.  For a refresher on the full rules and cash prizes, check out the PWN to OWN contest guidelines.

2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned...

7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue.  Until Adobe releases a patch for this issue, neither wee nor the contestants will be giving out any additional information about the vulnerability.  You will be able to track the vulnerability on the Zero Day Initiative upcoming advisories page.

tl;dr: Vista got Pwnt, Ubuntu last left standing hence victorious. Adobe Flash vulnerability was responsible.

Sauce: http://dvlabs.tippingpoint.com/blog/2008...nd-wrap-up

I lol'd. Ahaa

Hellgiver · 29/03/2008 09:45 AM

Was that the same contest in which the dude hacked Air in 2 minutes? I remember he got 10k there, so I thought it might be the same one.

S7* · 29/03/2008 09:55 AM

Hellgiver Wrote:Was that the same contest in which the dude hacked Air in 2 minutes? I remember he got 10k there, so I thought it might be the same one.

Yeas its the same one :P

Hellgiver · 29/03/2008 10:00 AM

I'd really enjoy to watch that actually.

u_c_taker · 29/03/2008 10:41 AM

wow a mac got hacked faster than vista
oh well i guess ms have improved security

Hellgiver · 29/03/2008 10:44 AM

u_c_taker Wrote:wow a mac got hacked faster than vista
oh well i guess ms have improved security

Well, to be fair, he had the code already on his site, which he went straight to via safari. The rules states you could only use out of the box programs from the start... and well...

Quote:Boston (dbTechno) - Security researchers have managed to team together to win $10,000. They won the prize after they hacked into the MacBook Air in just two minutes.

It is believed that they hacked the MacBook Air using a vulnerability found in the Safari Web browser.

The team is known as the Independent Security Evaluators, and is made up of Charlie Miller, Jake Honoroff, and Mark Daniel.

They took part in the Pwn to Own contest put on by TippingPoint.

To win the contest, they hacked into, and gained full control of the MacBook Air in mere seconds.

The event was put on in Vancouver, Canada to check how the MacBook Air performed against other PCs running Windows Vista, as well as Ubuntu.

The first machine was the VAIO VGN-TZ37CN running Ubuntu 7.0. There was also the MacBook Air running OSX 10.5.2 and a Fujitsu U810 running Windows Vista Ultimate SP1.

The hackers managed to have a code already set up ona Web site. They were then able to hack into the MacBook Air by tricking the judges to visit the site.

This is believed to be a newly discovered and major vulnerability in the Safari Web browser. The vulnerability has been reported to Apple who is now working on the problem.

http://www.dbtechno.com/computers/2008/0...0-seconds/

ZiNgA BuRgA · 29/03/2008 07:22 PM

Can't really say it's Vista's fault, as it's really Adobe's.

But Flash has always had its run of security holes - I don't really trust Flash :P

S7* · 30/03/2008 02:28 AM

ZiNgA BuRgA Wrote:Can't really say it's Vista's fault, as it's really Adobe's.

But Flash has always had its run of security holes - I don't really trust Flash :P

You can't really say that.

Its the difference about how far Flash can get into a System - and a full Admin Account on Vista is bound to get exploited.

I doubt a Flash Exploit on Linux would be as effective.

Threaded Mode \| Linear Mode PWN to OWN: Final Day (and another winner!)
Author	Message