Vista falls in Pwn2Own contests final day to a flaw in Adobe Flash

Vista falls in Pwn2Own contests final day to a flaw in Adobe Flash

Summary: Update 3/29/2008: Just to clarify in case it wasn't clear, this is a flaw in an Adobe product, Adobe Flash, and not in a Microsoft product or in the Windows Vista operating system.  This is important to note, as it's not quite as glamorous as the flaw that took down the brand new, fully patched, MacBook Air; which just so happened to be a flaw in Safari.


Update 3/29/2008: Just to clarify in case it wasn't clear, this is a flaw in an Adobe product, Adobe Flash, and not in a Microsoft product or in the Windows Vista operating system.  This is important to note, as it's not quite as glamorous as the flaw that took down the brand new, fully patched, MacBook Air; which just so happened to be a flaw in Safari.  I'm still waiting for details on this, just like everyone else, but I would suspect that this is another product that doesn't or can't take advantage of the ASLR and/or DEP protections that Vista has built-in.  These are opt-in protections, as I mentioned in a previous article.

On the final day of the Pwn2Own contest, the Vista machine has fallen to a group of hackers including Shane Macaulay from Security Objectives, Derek Callaway (also from Security Objectives) and Alexander Sotirov (see JavaScript Heap Feng Shui). From the ZDI site:

7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue. Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability. You will be able to track the vulnerability on the Zero Day Initiative upcoming advisories page.

Congrats to all of the winners!


Topics: Laptops, Enterprise Software, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Fair is fair: Blame Adobe's not Vista

    Vista is a piece of junk that NOBODY with a brain likes because it is actually slower and less usable than XP.

    But this "hack" can not be blame on Vista's poor security. This "hack" was caused by a vulnerability in the mostly hated Adobe Flash. Not only is Flash the most annoying bandwidth stealer, ad junk maker in the web, it is now so insecure that it bypasses any security (even if little) built in the OS.
    • No so fast, does the hack work on any other platform?

      It is easy to assume that the rubber bands holding Vista
      together, is not a secure platform to build any software on.
      Adobe's code may be just fine, yet it ends up being blamed.
      That has certainly been my experience with Windows. They
      do something that breaks our code and we get blamed.
      • Still safer than OS X!!

        OS X [b]ships[/b] with massive security holes. If Apple can't even write secure programs on their own platform, how does anyone else stand a chance? :)
        • wait... don't most vista boxes ship with flash installed?

          the Mac didn't fall from an OS X flaw... sure it was an apple
          product, but not a flaw in the OS X... so the title of your
          comment is kinda wrong.

          since Flash has 92% installed base... what does this say for
          the the security on the average PC... not even the average
          PC... almost every PC... since almost every PC has flash
          • Nope, most do not. How about OS X?

            The Mac fell from an Apple flaw, the Windows box fell from a adobe flaw that more than likely would've worked on OS X or Linux as well.

            I think it says that all three major OS vendors have to take a close look at what they can do to "help" the Adobes of the world.

            The average Mac and Linux box are just as vunerable to a flaw in third party software, so I think it doesn't say anything about the security of the average pc.
          • RE: Helping the Adobe's of the World


            And not to bang the drum for Microsoft here or anything...
            this is something that Microsoft does. I know because I
            have personal experience with it. I'm currently sitting on a
            new anti-DNS pinning attack vector within Adobe Flash
            and a few other nastier flaws in Adobe Flex Builder (which
            turned out to be Eclipse's issue). I spoke with a Microsoft
            rep after Black Hat Federal, and she personally put me in
            touch with Adobe's product security team to talk about the
            issue. In fact, they're bringing me up to Blue Hat in May to

          • There's little doubt.

            MS is taking security far more seriously, and the results are really starting to pay off.
          • whether they ship with it or not....

            most PC and Mac have Flash on them (92% of computers
            do).. that's reality...

            and my other point was that the Mac fell to an Apple/Safari
            flaw but NOT an OS X flaw
          • RE:

            Well, let's be careful there. This could've very well have been an OS X flaw. We just don't have the details yet. It could've been in a flaw in CoreFoundation or something, just using Safari as the vector to deliver that.

          • what a joke!

            So... because users install a third party add-on 92% of the PC's it's a bad OS, which would be not the case with Apple since Safari is bundled with it?

            You crack me up
      • It allegedly works under OSX

        I can't confirm it, but a few people (blogs) are claiming that the Flash vulnerability works also under OSX.

        No word if it works under Linux.

        I'm an equal opportunist Vista basher (after being a Beta/RC tester). But fair is fair. The blame is on Adobe Flash, not Vista.
        • RE: It allegedly works under OSX

          I've heard the same thing, although I can't confirm that with a source.

      • I wish people would get the facts and stop try to blame everything on MS

        For It seems for some that it really doesn't matter who is at fault or to blame. They seem to make beeline straight to MS in blaming them. I agree MS, is no way near perfect but if the blame is going to be made, It needs to be warranted. Stick to details and facts people...
        • RE:

          I hope this was directed at a message poster and not myself. I've already updated the article to show that this is Adobe's problem not Vista even more clear than it should've been prior.

          • Was directed at Littleguy

            Definitely directed at poster
        • RE: I wish people would get the facts ...

          <a href="">"Windows Server 2008, Still not totally secure"</a><br>
          Argeniss has identified some security weaknesses that make some of the new security protections useless.<br>
          "Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products."<br>
          <a href=";898393676">Although several attendees tried to crack the Linux box, nobody could pull it off</a>, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go,"<br>
          • RE:

            Let's not pull a couple quotes from distinct people and say
            we know the full story.

            As I've already mentioned, the flaw that took down Vista
            was COMPLETELY 100% Adobe's fault. It's highly likely this
            could've also been exploited on *Nix. We don't know if the
            competition committee for the Pwn2Own contest allowed
            Flash to be installed on the machine, we don't know if the
            guys who found THIS flaw on Vista had time to get a
            working exploit together for *Nix, hell, we don't even know
            if the rules would allow a cross-operating system exploit
            to be used multiple times.

            <b>It may be that the team that had the Adobe Flash
            exploit could only use it on one machine, and chose the
            Vista machine.</b>

          • And if this doesn't work on Linux?

            Could the Linux developers fix the code to the browser or some other application that would prevent flash from exploiting the OS. Isn't this what the whole "Sand Box" for Vista was supposed to fit in?

            Do we just allow arbitrary code to run just because we trust the program that calls it?

            I think that if Linux resolves this problem, that they have something the other two don't and so then they should be seriously considered more secure.
          • RE: We'll know when we know

            The author of the exploit supposedly claimed it would work
            for all three operating systems. I'm going to try to get an
            interview with him and see what the deal is.

          • Sorry...This is totally Irrelevant..

            You need to stick to the facts in the article. It talks about Vista and Adobe. No where does it mention Windows 2008 Server. Quit trying to throw bits and pieces that do not pertain to the subject and try to make it stick..