Pwn2Own: What OS really won?

Pwn2Own: What OS really won?

Summary: Apple had a rough security week. Vista was hacked.


Apple had a rough security week. Vista was hacked. And Linux is unhackable. Those takeaways appear to be the consensus view following the Pwn2Own contest but it's not that simple.

Under the contest rules, organizers offered the Sony Vaio (Ubuntu 7.10), Fujitsu U810 (Vista Ultimate), and the MacBook (OS X 10.5.2) as prizes. Sure, the MacBook fell first at the Pwn2Own contest at CanSecWest last week. And yes, the MacBook was fully patched and still fell. But the odds were strong that the MacBook would have been the first to fall no matter what Apple did.


Glory. Taking down a MacBook gets the headlines. It's sexy. It's a blogger's dream. The more prominent Apple becomes the more hackers want to attack it. Simply put, security by obscurity isn't an option for Apple anymore. Why wouldn't hackers target the MacBook first? 

Based on that aforementioned theory MacBook's fate was sealed.

I reckon that Vista actually had a good week at the Pwn2Own contest. As Nate dutifully noted Vista was hacked, but the rules had to be tweaked and hackers used an Adobe flaw to take the Vista laptop. I'd count that as a moral victory for Microsoft. What's a hacking contest without a Vista hack?

And that brings me to the Ubuntu laptop. Linux made it out of Pwn2Own unscathed. Does that mean that Ubuntu is unhackable? Not quite. It just means that hackers didn't see the glory in taking down Ubuntu, which is a small sliver of the desktop OS market. Rest assured, if Pwn2Own ran another day Ubuntu would have stumbled too.

When you see Ubuntu hacked repeatedly you know the Linux OS has hit the big leagues. Vulnerabilities follow success.

Topics: Laptops, Apple, Software, Security, Operating Systems, Open Source, Mobility, Microsoft, Hardware, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • They all lost!

    In my opinion, the Flash flaw would've been able to compromise any of the OS's, so I would say they all lost. BUT, if I had to go on who lost the most, I'd go as follows:

    1.) Mac OS X - A flaw in Safari led to this compromise, that's a default running application, and it's built by Apple... so no one to blame but themselves.

    2.) Vista - The Vista machine was pwned, that's the cut and dry of it, it was the one that went home in someone's laptop bag, so it barely gets the edge in my book over *Nix.

    3.) *Nix - Word on the street is, it could've been pwned, but the rules state a cross-platform flaw can only be used once, so it skated by on a technicality.

    Honorable Mention: Sun and Adobe

    4.) Adobe for having the code flaw to begin with. We don't know what it is yet, but it's likely some form of stack overflow... seems like the common theme, especially considering Sotirov had to use Ninja skills and Java to get it to be exploitable (which means he needed to use Java to bypass DEP).

    5.) Sun for still not getting JVM to work with DEP. I know it's hard, I completely understand that, but still... this is a very serious flaw and we really need DEP protection.

    • Well said - thank!

      OK, so someone is knowledgeable here. Thanks for that, now let's go home and wait for another day of bashing the paid for OSs. I sometimes wonder what it is about being a minority crusader that makes it so attractive to idiots. If evolution would just help us out faster... OK, so there it is, go dudes, have fun!
    • not really

      Under Ubuntu 7.10, in order to install Flash, you need to 1) add proprietary repositories (you get a fat warning that says these are not maintained and represent a security risk), then 2) still choose Flash instead of Gnash when Firefox asks you about a missing plugin, before with 3) break through userspace to kernel space.
      So: had it been used against the Ubuntu laptop, the Flash vulnerability wouldn't have cut it, while on Vista Flash is provided on the install CD, and Mac OS was hacked fast enough not to need it (it may not have worked, either: under Windows Flash is an ActiveX control with system access, under *nix systems it's a userspace library).
      Let's be frank, the crackers went against the nice looking, expensive, easy to crack laptop first, then against the slow but expensive Vista laptop with obvious target areas, and didn't bother with cheap yet much harder to break Ubuntu laptop.

      Even then, Ubuntu isn't the most secure desktop Linux distribution out there; what about all those other distros using SELinux or AppArmor?
      Mitch 74
      • You make me laugh....

        Vista does not come with flash installed. That's why it didn't fall on the first day, nor the second. They had to wait to open up third party software (aka flash) to get it. Vista comes with no internet browser, no flash, no network, etc. Vista by itself is, quite literally, impossible to hack from a distance. When users install the extras, aka IE, flash, the Vista network stuff and all, then it's POSSIBLE it becomes hackable. You get several prompts on installing flash, including an EXE prompt and an install prompt.
        Also, in my experience, my Vista partition is much more useful than my Ubuntu partition. What purpose is there for a desktop Linux? I can't think of one beyond that it's free, and you can get a tiny version of Linux to use on old computers.

        In short: Flash installed on Ubuntu and on Vista would allow both to get hacked. Game over. Good day.
        Vista wasn't hacked, nor was the Linux. That is a win for Microsoft.
        • *blinks* IE is not in Vista?

          Ok so, No Flash, No browser, No... bother in using such a crippled and utterly unseen PC in the market place.

          WinPCs have, by far.. and you need no research numbers or "Show Me!" spouting to say this... by FAR more additional 3rd party software on them than any OS. Particularly out-of-date and unnecessary addons, including 'browser toolbars'.

          I have yet to come across a Windows PC without flash in normal use that isn't a backend server or ancient corner accounting unit. Actually, I have thankfully come across few Vista units in recent days, and funny enough, every one had some major issue with compatibility, such as the recent Dell unit which refused to see the Dell internet device, so the poor girl using it had a useless PC sitting there for weeks.

          Vista is no "win" for Microsoft. I -do- hope it gets better, though. Why? Because I need to fix the damnable things and it's hard to maintain buggy piles of crap. As for Apple... lets all jump on the bandwagon of "Haha" I suppose... while the same exact flaw affected -all- platforms.
    • RE: Pwn2Own: What OS really won?

      Beautiful post too :') <a href="">discount uggs</a>
    • RE: Pwn2Own: What OS really won?

      lol at his face everywhere in the pictures. beautiful post! <a href="">replica watches</a>
    • RE: Pwn2Own: What OS really won?

      beautiful post and those graphics are amazing!! <a href="">ugg boots outlet</a>
    • RE: Pwn2Own: What OS really won?

      <a href="">fake prada bags</a>
    • RE: Pwn2Own: What OS really won?

      <a href="">cheap replica watches</a>
  • To my knowledge no rules were tweaked.

    The rules of the contest were defined before the contest began and were followed precisely as defined during the contest. Not sure why it's so difficult for Mac users to understand this. For this years contest as well as last years.
    • Because

      Mac users are pompus buffons who think that because they own a Mac they are better then everyone else.
      • I am a Mac user

        And I am disappointed that there flaw in Safari. Mac users expect a lot from their OS because it has delivered a lot up to now. I am also a Windows user, and have been for longer than the Mac, but I find the Mac platform to be more stable than Windows, and to-date, I have never been attacked in the wild on my Mac.
      • thanks.

        i always wonder about people like you. would you say that to me in real life? i doubt it, for 2 reasons. first, if you met me you'd know that i wasn't pompous, or a buffoon, and that i didn't think owning a mac made me better than anyone. 2nd, because i really don't think you'd have the guts.
        • well...

          I certainly would have no problem telling you that you are a pompous buffoon, so long as I saw evidence. Statistically, you probably DO feel like you are better than Windows users, because you believe you made a better (smarter) decision. But who cares about statistics? It's the branch of mathematics that economists use, therefore it MUST be completely flawed.

          But to be straight: I know a great deal of mac users. I get one of three responses when I say I prefer my windows machines to my Mac.
          1) The "I HATE MICROSOFT, THEY ARE TRYING TO SUCK OUR SOULS OMG THEY SUXX OH GOD HAX" response where they generally believe M$ is both evil and TRYING to hurt customers
          2) The "grin like it's cool, but really, I think you're a flaming idiot" look where they give a smile and typically an "Oh, that's nice" but inside they are like Jeez, what a dolt
          3) The "Why would you use that when you can do so much more with Mac? Have you ever used one?" These are the most tolerable, but still ridiculous. With my macs amazing grapher, automater, Adobe CS3 and all of the other goodies, it is nice. Do I find it as productive and fun to use as my Vista machine? No. Is it faster than my Vista machine? Well... it is four years newer, so just a bit. But I have Vista ultimate on the macbook too, for when I need windows on the go, and it's leaps and bounds faster than Leopard is.
          • Leaps and bounds faster than Leopard?

            Yeah right. I have them both on my MacPro, no leaps and bounds faster seen on my machine between the two, though I do find Leopard to be leaps and bounds less convoluted than Vista.
            Kid Icarus-21097050858087920245213802267493
          • like i said...

            you are a punk... and a pompous buffoon!
      • digital prejudices or racism?

        putting down someone SPECIFICALLY because of the computer they are
        using is EXACTLY like putting some one down SPECIFICALLY because of
        the color of there skin...

        you are punk, and need you ass kicked!
    • I think your knowledge is incomplete.

      According to this alternative source:

      [i]A US$20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.[/i];898393676
      • How is my knowledge incomplete?

        Specifically how were the rules changed?