While it put up a strong fight, the notebook running Windows Vista Ultimate finally failed the annual CanSecWest hacker challenge Friday when a security researcher successfully exploited a critical error located in Adobe Systems Flash Player.
A Fujitsu U810 running Windows Vista was the second system to be hacked, leaving a Sony Vaio notebook running the Ubuntu distribution of Linux to emerge unclaimed at the contest's end.
The Vista hack was part of the three-day 2008 "Pwn to Own" hacker challenge, held at the CanSecWest conference in Vancouver, B.C. March 26-28. The contest included three laptops -- a MacBook Air running OS X 10.52, the Sony Vaio running Ubuntu 7.10, and the Fujitsu U810 running Vista Ultimate SPI -- running the "most up to date and patched installations," which were pitted against each other to determine which machine is most hack resistant.
Researcher Shane Macaulay won a $5,000 cash prize for breaking into a Fujitsu U810 running Vista when he exploited an unidentified Adobe Flash Player vulnerability. Macaulay was assisted by Derek Callaway, of Security Objectives, and Alexander Sotirov, an independent researcher.
Friday's triumphant hack was the contest's second successful exploit. Charlie Miller, an analyst for Security Evaluators LLC, won the notebook and a $10,000 cash prize when he infiltrated a MacBook Air on Thursday by exploiting a vulnerability in the Safari Web browser. No one, however, claimed the first day's prize of $20,000, which required the researchers to remotely exploit the detected vulnerabilities without any user interaction.
The contest was kicked off on Wednesday when all three machines were exposed to viruses and other malware before the contestants attempted to exploit the vulnerabilities.
According to the Tipping Point Website, the purpose of the contest was to "responsibly unearth new vulnerabilities within these systems so that the affected vendors can address them." All subsequent exploits were handed over to the affected vendors following the challenge.
Altogether, the hackers were required to "read the contents of a designated file on each system through exploitation of a zero-day code execution vulnerability." The first contestant to hack into a system was allowed to keep the notebook, in addition to receiving designated cash prizes. 3Com's Tipping Point Technologies Zero Day Initiative put up the cash prizes for the players.
