More details on the Pwn2Own Flash flaw that won the Vista machine

So, I've been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest.

Alexander Sotirov (SolarEclipse) and Shane Macaulay (k2)
So, I've been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest.  I'm working on getting an interview with Alexander Sotirov and Shane Macaulay (see image, courtesy of ZDI's official site) to discuss the issue, but in the meantime, I think we can make some reasonable assumptions from the details that have been released in an InfoWorld article:

Macaulay, who was a co-winner of last year's hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That's because Macaulay hadn't been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures...

For those who aren't familiar with Sotirov, he's of the Javascript Fung Shui fame, which is basically a new method of heap spraying that allows the exploit code to have a predictable target address where it will be located in the heap.  So they team up and get to work:

Under contest rules, Macaulay and Miller aren't allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.

Hmmm... does this sound familiar to anyone?  See my posts (part 1 here and part 2 here) on the flaws that John Heasman spoke of in Java which require it to turn off features like DEP in operating systems that provide these protections.  So my guess, and I feel it is an educated one (of course time will tell), is that Sotirov helped out by providing some additional hacker ninjitsu by helping Macaulay load this Flash attack through a Java Applet, thus turning off any DEP protections the operating system provides.  Heck, I wouldn't even be surprised if he used the applet to do some fancy heap spraying to load the shellcode from the heap.  The article continues:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he (Macaulay) said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

Aha, so there is your story right there, this flaw could've worked on any of the systems; however, the contest rules state that the same exploit can only be used to compromise one machine (see rule #2 from the web page which states "You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue."), and Macaulay used Vista because it was what he was more familiar with.

So I guess we can end the OS wars about who's is better.  Perhaps I could just put up a poll so we could vote on it and get that all over and done with.  So now, we should be pointing the finger at Adobe for allowing this flaw... or wait a minute, should we be pointing it at Sun since it doesn't play nice with DEP?