Vista falls in Pwn2Own contests final day to a flaw in Adobe Flash

Update 3/29/2008: Just to clarify in case it wasn't clear, this is a flaw in an Adobe product, Adobe Flash, and not in a Microsoft product or in the Windows Vista operating system.  This is important to note, as it's not quite as glamorous as the flaw that took down the brand new, fully patched, MacBook Air; which just so happened to be a flaw in Safari.  I'm still waiting for details on this, just like everyone else, but I would suspect that this is another product that doesn't or can't take advantage of the ASLR and/or DEP protections that Vista has built-in.  These are opt-in protections, as I mentioned in a previous article.

On the final day of the Pwn2Own contest, the Vista machine has fallen to a group of hackers including Shane Macaulay from Security Objectives, Derek Callaway (also from Security Objectives) and Alexander Sotirov(see JavaScript Heap Feng Shui). From the ZDI site:

7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue. Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability. You will be able to track the vulnerability on the Zero Day Initiative upcoming advisories page.

Congrats to all of the winners!

-Nate