NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0458 LINUX Ignored, not immune:
People shouldn't read anything into the fact that of the three laptops set up for last week's
"PWN to OWN" hack challenge, the only one left standing was running LINUX, said the security
expert who oversaw the contest. "There was just no interest in Ubuntu," said the manager of
security response at 3Com Corp.'s TippingPoint subsidiary said. Her company put up the cash
prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure
of relative security between operating systems. It's not an accurate barometer." Just because
the laptop - a Sony running the Ubuntu 7.10 distribution of LINUX - was untouched doesn't mean
that the operating system is any more secure than either Mac OS/X or Windows VISTA, both of which
fell to attacks. She said it was actually a lack of interest on the part of the PWN to OWN
contestants. Contestants get a lot more mileage out of attacks on the Mac or Windows than a
LINUX system. Of the three notebooks, the first to go down was a MacBook Air. That machine was
hacked, the second day of the three-day challenge using a zero-day vulnerability in Safari. The
next day, a hacker breached a Windows VISTA SP1-powered Fujitsu using a flaw in Adobe's Flash.
That Flash vulnerability exploited on the VISTA SP1 notebook is multiplatform, and is present
on both Mac OS/X and LINUX. The trend from attacking the operating system to attacking
applications, particularly those installed on desktop clients, has been building for months.
The vast majority of vulnerabilities found are now in cleint-side applications such as Internet
Explorer, Microsoft WORD, Firefox, Adobe Reader, and others. Part of that move towards
applications, the TippingPoint manager said, has been forced on hackers as operating systems
have become more secure.
(ComputerWorld 01APR08)