There Can be Only One: Ubuntu Survives Pwn2Own Hacking Contest

C.S. Magor — Sat, 29 Mar 2008 21:21:36 -0700

Note: Picture is for conceptual purposes only. This is not the PC from the competition, nor is it a PC actually running Ubuntu. Credit: Wired

Pwn2Own is a great opportunity to line up the latest browser incarnations against some of the world's more competent hackers and see how they perform. This year, there were some unsettling results for Mac owners. While Leopard stood up to all of the Day One challenges, on Day Two, with an easing of the restrictions, browsers were open to attack.

A MacBook Pro with a fully patched Leopard went down in Day Two. It was the first machine to fall and dropped due to a browser vulnerability within Safari. Charlie Miller took the MacBook Pro with an exploit that took a mere two minutes to implement.

While the specifics of the Safari exploit are unknown, we do know from it involved a link which opened a port which allowed Miller telnet access. Miller took the $10,000 prize and the machine. Vista took a little longer, it fell on the fourth hour of Day 2.

Shane MaCaulay, who was part of last year's Mac takedown, had the honor. He was hampered by the release of SP1, which he had not prepared for. Four hours later and a workaround gave him control of the Fujitsu U810 laptop through a previously undisclosed Flash vulnerability.

Most notable is the fact that after three days, Ubuntu was left standing. Day Three really opened up the restrictions allowing access through third party applications, regardless of this fact; no one was able to takedown Ubuntu. Is Ubuntu invulnerable? Hardly, I think this has more to do with OSX and Vista being bigger trophies. According to MacAuley, with a few hours tweaking his exploit would work on Linux and OSX.