posted by Thom Holwerda on Sun 30th Mar 2008 20:35 UTC
IconAs you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe's Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds.

This of course resulted in the usual flurry of internet attention, and OSNews, too, paid attention to the whole thing. I tried to be as complete as possible in the OSNews blurb, trying hard to shove all the relevant details into the limited space of an OSNews item.

This morning, someone submitted a link to an article on Roughly Drafted, a Mac and Apple website that gets considerable attention on especially Apple-centric websites. They published an article on the whole PWN to OWN contest, titled "Mac Shot First: 10 Reasons Why CanSecWest Targets Apple". This article is filled with so many factual errors and other forms of misinformation that I felt obliged to add some nuance to the mix.

I will touch on each of the ten reasons, following the original article's order.

1. "Exploits discovered for the Mac have little other value outside of contests like CanSecWest."

This is the only one of the ten reasons which has a solid base in reality, and actually makes sense. Indeed, there is little market (at his point in time) for selling exploits for the Mac, simply because the Apple user base is still too small to be of significant use to malware creators. This is no rocket science; malware creators are after easy profit, and attacking 90% of the market makes more sense than attacking 5% of the market.

However, this does not mean that the exploit used to win the contest is of any less relevance. It is still a security hole, and it needs to be fixed. The details of the exploit have been forwarded to Apple, without making them public, allowing Apple to fix the issue. Therefore, this exploit will most likely not affect the real-world security of Mac OS X - but the theoretical security has been severely compromised, which is not something to sneeze at.

2. "The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms."

Here, we see a major case of what I usually refer to as the "black helicopter factor", more commonly known as conspiracy thinking. Roughly Drafted tries to imply that the people behind the CanSecWest conference (or the contest itself) are somehow anti-Apple, pro-Microsoft, but delivers no actual proof that this is really the case. I am not really sure why they detail Microsoft's "Get the facts" debacle, as it is of no relevance at all.

Here, Roughly Drafted also tries to imply as if CanSecWest "announced that Macs are less secure than Windows" - which is a curious way of putting things. If you look at the original announcement of the winner, you will see that no such claim is being made. The final wrap-up article on the contest does not make any such claims either. In other words, Roughly Drafted is clearly spreading misinformation to discredit CanSecWest.

3. "The contest prominently focused attention on the brand name of the MacBook Air."

Roughly Drafted claims that only the MacBook Air was mentioned by name, while the other laptops remained unnamed, without any details on what brand they were. According to Roughly Drafted, this would have resulted in "the most sensational headline payload possible". This is, again, a case of misinformation, as the contest's rules page clearly states the brand and types of laptops used ("VAIO VGN-TZ37CN running Ubuntu 7.10, Fujitsu U810 running Vista Ultimate SP1, MacBook Air running OSX 10.5.2").

4. "The Mac exploit was something Charlie Miller had in hand when he arrived."

This one baffles me a bit. Of course he had it in mind! This is an irrelevant remark, as the exact same thing went for people wanting to attack and win the Vista or Ubuntu laptop and their associated sacks of money. This is the whole goal of the contest: to find new and unknown exploits, and deliver them to the relevant companies so they can fix them before they do any real damage - responsible disclosure.

If I partake in a squash match, am I not allowed to practice and study my opponent before taking him or her on?

5. "The researcher who cracked the Vista machine was stymied by the fact that he didn't expect it to have SP1 installed, according to a follow up report by IDG's Robert McMillan."

The first service pack to Windows Vista (that would be SP1) was released into the wild on 18 March of this year. The contest rules clearly state that the laptops would run "the most up to date and patched installations" of the three operating systems. If the researcher who cracked the Vista machine was surprised by seeing SP1 on the machine, he simply did not read the rules very well, or he simply does not keep up with the news.

Roughly Drafted goes on and says the Vista laptop "only reflects the state of Vista for users who have elected to install SP1", and not of users throughout 2007. So, where is the cut-off point? Safari 3.1, with a whole batch of security fixes, was released a few days after Vista SP1. Should it have been excluded? Since it does not properly reflect the state of Safari in 2007?

This is why basically always the baseline for these types of tests and comparisons is latest versions, fully updated, fully patched. This creates a level playing field for all the platforms, and everyone participating in the contest can know what to expect.

Table of contents
  1. "Countering misinformation, 1/2"
  2. "Countering misinformation, 2/2"
e p (8)    81 Comment(s)

Technology White Papers

See More