cansecwest vista We wrote about the CanSecWest conference last week when the hacking contest was on its second day. The second day consisted of stock configurations along with browsers and some mail applications. That’s when the MacBook Air laptop was hacked in in about 2 minutes utilizing a Safari vulnerability that Apple has now been notified of.

On the third day widely used plugin frameworks (Silverlight, Flash, etc…), instant messengers, and more were all installed on the machines. After several hours of working at it Shane Macaulay managed to tiptoe his way into the Vista machine using an Adobe Flash vulnerability. As a result of his efforts he is taking home that computer, and gets a prize of $5,000. Not to shabby.

So that leaves Ubuntu Linux standing alone as the only unhacked computer among the three operating systems. Not to takeaway from Ubuntu’s win, but there are some things that you should consider before drawing any conclusions:

  • Technically it wasn’t really Microsoft’s fault that the machine was hacked since Adobe is the one who creates Flash. The MacBook Air vulnerability, on the other hand, was in the Safari browser which ships on all Apple computers.
  • One of the rules of the contest is that you “can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.” Adobe does make Flash for Linux and Mac’s, but there was no mention as to whether the vulnerability used to attack the Windows machine was actually a cross-platform bug. Similarly if Safari was installed on the Windows machine would it have been subjected to the same vulnerability that brought the MacBook Air to its knees?