Linux unbroken in hacking contest

Linux was the runaway winner in the battle of the operating systems held at the CanSecWest conference.

Conference organisers ended a three-way hacking challenge on Friday with Linux running on a Sony Vaio remaining unbreached. Earlier in the day a Fujitsu running Vista was cracked by Shane Macauley, co-winner of last year's contest - the Apple MacBook had been broken into the on the previous day.

Macaulay needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That's because Macaulay hadn't been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures. He also got a little help from co-worker Derek Callaway.

Under contest rules, Macaulay and Miller aren't allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said. "This could affect Linux or Mac OS X."

In a blog post, TippingPoint said that Macaulay's bug lay in Adobe's Flash Player and that Adobe is working on a fix.

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go," she said.

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest.