COMPGROUPS.NET | Search | Post Question | Groups | Stream | About | Register

### Windows 7 hacked in 2 minutes - Twice

• Email
• Follow


http://www.computerworld.com/s/article/9174101/Hacker_busts_IE8_on_Windows_7_in_2_minutes?source=CTWNLE_nlt_dailyam_2010-03-25

<quote>
When his turn came, Pwn2Own newcomer Peter Vreugdenhil successfully
exploited a vulnerability in IE8 running on Windows 7 with attack code
called "technically impressive" by TippingPoint because it bypassed
the operating system's Data Execution Prevention, or DEP, security
mechanism, which is designed to stop most attacks.

Like Miller, Vreugdenhil, a freelance vulnerability researcher from
the Netherlands, earned a $10,000 prize. Another former winner, a German computer science student known only by his first name, Nils, was awarded$10,000 for hacking Firefox on
Windows 7.
</quote>

I didn't see any mention of successful Linux pwns
Of the browsers set up as targets for the contest, only Google's
Chrome remained standing on the first day.

 0
Reply rex.ballard (3732) 3/25/2010 6:01:14 PM

See related articles to this posting

"Rex Ballard" <rex.ballard@gmail.com> schreef in bericht
>
>
> http://www.computerworld.com/s/article/9174101/Hacker_busts_IE8_on_Windows_7_in_2_minutes?source=CTWNLE_nlt_dailyam_2010-03-25
>
> <quote>
> When his turn came, Pwn2Own newcomer Peter Vreugdenhil successfully
> exploited a vulnerability in IE8 running on Windows 7 with attack code
> called "technically impressive" by TippingPoint because it bypassed
> the operating system's Data Execution Prevention, or DEP, security
> mechanism, which is designed to stop most attacks.
>
> Like Miller, Vreugdenhil, a freelance vulnerability researcher from
> the Netherlands, earned a $10,000 prize. > > Another former winner, a German computer science student known only by > his first name, Nils, was awarded$10,000 for hacking Firefox on
> Windows 7.
> </quote>
>
>
> I didn't see any mention of successful Linux pwns

No obviously not, there was simply no Linux system at Pwn2Own
http://bit.ly/dynxr5
[q]
Linux
Like previous years, Linux is the great absent again Pwn2Own  during the
game. This has nothing to show that it is difficult to hack Linux. "It is
probably easier, although this does depend on the Linux version you are
talking about," says Miller. The reason Linux is not taking part because few
people on the desktop. In addition there are the leaks in the browser and
running on both Windows and Linux.
[/q]
Pwn2Own is not interested in Linux, it's so easy to hack, (says Miller), no
challenge to do such a trick!
Just like Unix guru Andy Tanenbaum wrote:
[q]
"most attackers think hitting Windows offers a bigger bang for the buck so
Windows simply gets attacked more."
[/q]
http://lists.virus.org/securecoding-0405/msg00035.html

> Of the browsers set up as targets for the contest, only Google's
> Chrome remained standing on the first day.


 0

On Mar 25, 2:58=A0pm, "Clogwog" <BWAHAHAH...@BWAHAHAHAAA.LOL> wrote:
> "Rex Ballard" <rex.ball...@gmail.com> schreef in berichtnews:7e93d335-e19=

> > I didn't see any mention of successful Linux pwns

> No obviously not, there was simply no Linux system at Pwn2Ownhttp://bit.l=
y/dynxr5

That explains why it was not mentioned.

> [q]
> Linux
> Like previous years, Linux is the great absent again Pwn2Own =A0during th=
e
> game. This has nothing to show that it is difficult to hack Linux. "It is
> probably easier, although this does depend on the Linux version you are
> talking about," says Miller. The reason Linux is not taking part because =
few
> people on the desktop. In addition there are the leaks in the browser and
> running on both Windows and Linux.
> [/q]

I've heard this claim numerous times, yet I have yet to see someone
successfully pwn a properly configured Linux system.

I suppose it couldn't be that difficult, since someone cracked the Mac
in 8 seconds last year.  What did Apple do, set the root password to
root or something?

> Pwn2Own is not interested in Linux, it's so easy to hack, (says Miller), =
no
> challenge to do such a trick!

Again, not much record of successful hacks.  Given the millions of
Linux servers out there, you'd think someone would have cracked a few
thousand at the same time by now.

Most "successful cracks" involve bone-head configurations in which the
machine has been set up exactly the way utilities like rsh and rlogin
tell you NOT to set it up.  Classic bone-head plays include things
like setting the wild card in hosts.equiv, letting people ftp
executable files to the cgi-bin directory, and setting up signed java
applets to accept a developer key as a fully validated key.

> Just like Unix guru Andy Tanenbaum wrote:
> [q]
> "most attackers think hitting Windows offers a bigger bang for the buck s=
o
> Windows simply gets attacked more."
> [/q]http://lists.virus.org/securecoding-0405/msg00035.html

Yes, but I would think that Microsoft would pay a handsome bounty to
be able to say that Linux was hacked in 8 seconds.  If that's actually
possible.

> > Of the browsers set up as targets for the contest, only Google's
> > Chrome remained standing on the first day.


 0

Rex Ballard "contributed" in comp.os.linux.advocacy:

> Windows 7 hacked in 2 minutes - Twice

It wasn't hacked -twice-, he just took 2 vulnerabilities to speed up the
hack. If he only took one vulnerability, it would take up to 55 minutes to
achieve his goal. At least, the guy is Dutch.
;-)

--
<snip>


 0

"John Holmes" <nospam.13inch@gmail.com> schreef in bericht
news:201003252031.o2PKVvD14621@smtp.cobalt.loc...
> Rex Ballard "contributed" in comp.os.linux.advocacy:
>
>> Windows 7 hacked in 2 minutes - Twice
>
> It wasn't hacked -twice-, he just took 2 vulnerabilities to speed up the
> hack. If he only took one vulnerability, it would take up to 55 minutes to
> achieve his goal. At least, the guy is Dutch.
> ;-)
>
>

I bet he could crack *any* Linux distro in 10 minutes!
http://bit.ly/dynxr5
(According to security expert Charlie Miller)
[q]
Linux
Like previous years, Linux is the great absent again Pwn2Own  during the
game. This has nothing to show that it is difficult to hack Linux. "It is
probably easier, although this does depend on the Linux version you are
talking about," says Miller. The reason Linux is not taking part because few
people on the desktop. In addition there are the leaks in the browser and
running on *both* Windows and *Linux* .
[/q]

Let's wait for COLA cretin nr. 1 & self anointed "security expert", Peter
Kohlkopf, to deny what the *real* expert said.
<chuckle>
--
How to write a Linux virus in 5 easy steps
http://www.geekzone.co.nz/blog.asp?postid=6229


 0

On Mar 25, 5:11=A0pm, "Clogwog" <BWAHAHAH...@BWAHAHAHAAA.LOL> wrote:
> "John Holmes" <nospam.13i...@gmail.com> schreef in berichtnews:2010032520=
31.o2PKVvD14621@smtp.cobalt.loc...
> > Rex Ballard "contributed" in comp.os.linux.advocacy:
> >> Windows 7 hacked in 2 minutes - Twice

> > It wasn't hacked -twice-, he just took 2 vulnerabilities to speed up th=
e
> > hack. If he only took one vulnerability, it would take up to 55 minutes=
to
> > achieve his goal. At least, the guy is Dutch.
> > ;-)

I thought two different people won awards and laptops for pwning -

> I bet he could crack *any* Linux distro in 10 minutes!
I'd like to see him try.  Anyone can SAY they can do something.
Actually DOING it is harder.

http://bit.ly/dynxr5

> (According to security expert Charlie Miller)
> [q]
> Linux
> Like previous years, Linux is the great absent again Pwn2Own =A0during th=
e
> game. This has nothing to show that it is difficult to hack Linux.

Actually, it proves nothing either way.  For whatever reason, they
sponsors of the contest didn't want to risk their laptops to Linux.
Never mind that millions of Linux and UNIX servers risk far more than
the cost of a laptop.  Many *nix systems process millions of dollars
per minute, some even millions of dollars per second.  A successful
hack would be catastrophic - it would make headlines - it would
probably also result in federal prosecution.

> "It is
> probably easier, although this does depend on the Linux version you are

So he really doesn't know one way or the other.

> The reason Linux is not taking part because few
> people on the desktop.

Or because the sponsors didn't want Linux to be there - and survive.
Microsoft was really hoping they would do much better.

After all, last year, a Mac was hacked in 8 seconds.
Made Vista look pretty good - for a few days anyway.

If Linux did as well as Chrome, and lasted through the first whole
day, that would be really embarrassing for BOTH Microsoft and Apple.

> In addition there are the leaks in the browser and
> running on *both* Windows and *Linux* .
> [/q]

The one that I can think of is signed Java applets.  The browser could
run one of those and it would get out of the JVM "sand-box" - but it
would only be able to muck with the user's home directory.

> Let's wait for COLA cretin nr. 1 & self anointed "security expert", Peter
> Kohlkopf, to deny what the *real* expert said.
> <chuckle>

Actually, the real expert said he didn't know.
He THINKS it MIGHT be easy to gain root access and control of a Linux
system because it runs FireFox.  He didn't say he was willing to
demonstrate in front of the reporter.

> How to write a Linux virus in 5 easy stepshttp://www.geekzone.co.nz/blog.=
asp?postid=3D6229

Rex Ballard
http://www.open4success.org

 0

Clogwog "contributed" in comp.os.linux.advocacy:

> "John Holmes" <nospam.13inch@gmail.com> schreef in bericht
> news:201003252031.o2PKVvD14621@smtp.cobalt.loc...
>> Rex Ballard "contributed" in comp.os.linux.advocacy:
>>
>>> Windows 7 hacked in 2 minutes - Twice
>>
>> It wasn't hacked -twice-, he just took 2 vulnerabilities to speed up
>> the hack. If he only took one vulnerability, it would take up to 55
>> minutes to achieve his goal. At least, the guy is Dutch.
>> ;-)
>>
>>
>
> I bet he could crack *any* Linux distro in 10 minutes!
> http://bit.ly/dynxr5
> (According to security expert Charlie Miller)
> [q]
> Linux
> Like previous years, Linux is the great absent again Pwn2Own  during
> the game. This has nothing to show that it is difficult to hack Linux.
> "It is probably easier, although this does depend on the Linux version
> you are talking about," says Miller. The reason Linux is not taking
> part because few people on the desktop. In addition there are the
> leaks in the browser and running on *both* Windows and *Linux* .
> [/q]
>
> Let's wait for COLA cretin nr. 1 & self anointed "security expert",
> Peter Kohlkopf, to deny what the *real* expert said.
> <chuckle>
> --
> How to write a Linux virus in 5 easy steps
> http://www.geekzone.co.nz/blog.asp?postid=6229
>

How to hack Linux? Easy. Boot the computer from a Win XP CD and format
the fucking HD.

Done. Easy as shit.

--
<snip>


 0

Rex Ballard wrote:
> On Mar 25, 2:58 pm, "Clogwog" <BWAHAHAH...@BWAHAHAHAAA.LOL> wrote:
>> "Rex Ballard" <rex.ball...@gmail.com> schreef in berichtnews:7e93d335-e195-4425-9fec-532763abf83c@i25g2000yqm.googlegroups.com...
>
>
>>> I didn't see any mention of successful Linux pwns
>
>> No obviously not, there was simply no Linux system at Pwn2Ownhttp://bit.ly/dynxr5
>
> That explains why it was not mentioned.
>
>> [q]
>> Linux
>> Like previous years, Linux is the great absent again Pwn2Own  during the
>> game. This has nothing to show that it is difficult to hack Linux. "It is
>> probably easier, although this does depend on the Linux version you are
>> talking about," says Miller. The reason Linux is not taking part because few
>> people on the desktop. In addition there are the leaks in the browser and
>> running on both Windows and Linux.
>> [/q]
>
> I've heard this claim numerous times, yet I have yet to see someone
> successfully pwn a properly configured Linux system.
>
> I suppose it couldn't be that difficult, since someone cracked the Mac
> in 8 seconds last year.  What did Apple do, set the root password to
> root or something?
>

They may have done so.
The really odd thing is that in 6 years I've yet to get hit by any kind
of malware.  I've seen social engineered tricks in getting you to
install some software, but then one had to do chmod +x file and then run
it.  I've also not seed one virus hit my macs.  Maybe I'm using the
wrong kind of bait.

Anyway, there is an article that shows that AV software on OS X causes a
lot of os problems and it isn't worth it.

Of course a while back, these same hackers never could gain entry to
VMS.  And they've tried for three days with no luck.

 0

7 Replies
140 Views

Similar Articles

12/12/2013 6:38:21 PM
[PageSpeed]

Similar Artilces:

weird error with python 2.7 installer under windows 7
A colleague gets this error while testing a bdist wininst installer under windows 7 professional. This is on the page where the Post install script output appears. In the upper part I see "Postinstall script finished. Click the Finish button to exit the setup wizard." In the bottom panel where we normally see output about the created scripts I see this "close failed in file object destructor: Error in sys.excepthook: Original exception was:" I have tried the same installer with a Win XP Sp3 machine and it doesn't cause any problems. Any ...

Coexisting OS/2 with Windows 7
Windows 7 coexists without OS/2 on the same disk with relatively few problems. The Windows 7 installer needs free space on the hard disk at the beginning of the hard disk to create its partition but it does not delete any OS/2 partitions. The Windows 7 installer actually has a nice volume manager display that shows all of the OS/2 volumes at the start of the install as well as any free space on the drive and then lets you pick with a radio button where you want Windows 7 to be installed. This is far nicer than previous Windows installers. After the Windows installation is f...

window.open problem in Netscape 7.2
I have two pages in my web application that interact with each other. One page contains two frames. One frame has a "next" link, and if you click the link about twenty times it stops working because window.open starts returning null. I have included below the source for pages that replicate this problem, which only occurs in Netscape 7.2 of the browsers I've tested. I am trying to understand exactly what happens under the hood in Netscape 7.2 to cause this, and the best way to work around it. Please help if you can. The actual pages that these test pages are modelled on have qu...

MikTeX 2.8 install freezes Windows 7
It was almost done with the install and was extracting the zaph something and Windows 7 froze. Ctrl-Alt-Del did not bring up the process manager. Had to do a hard reboot. Googled but couldn't find a solution. Tried to install 3 times and same result. Any ideas? OS is Windows 7 Ultimate (64-bit). Zach On Aug 3, 1:47=A0am, Zach <net...@gmail.com> wrote: > It was almost done with the install and was extracting the zaph > something and Windows 7 froze. Ctrl-Alt-Del did not bring up the > process manager. Had to do a hard reboot. Googled but couldn't find a > ...

Hackers' Handbook
Learn What Hackers Know? 1 WARNINGS - Windows Vulnerabilities, Advisories, and even security flaws introduced by so called security products 1.1 Microsoft IIS Vulnerabilities 1.2 Microsoft FrontPage Vulnerabilities 1.3 Microsoft Internet Explorer Vulnerabilities 1.4 Windows Application Vulnerabilities 1.5 Windows Internet/Networking Vulnerabilities 1.6 Insecurities introduced by Security Programs 1.7 Netscape Browsers 1.8 Windows Hacks - Miscellaneous 2 TOOLS - Windows Security and Auditing Tools 2.1 Windows Registry Tools 2.2 Windows and MSDOS Security and Auditing Tools 2.3 Windows Local S...

Hi, I've got the follwoing problem: I want to include all images from a directory. Therefore I generate a directory listing: \immediate\write18{dir Img\ *.png /b > xxx.xxx}% Then I open the file and read the first line \newread\Imgs \openin\Imgs=xxx.xxx \read\Imgs to \Image \typeout{-\Image-} there is an extra " " at the end, I want to get rid of. I defined: \def\chopline#1 \\{\def\xxxx{#1}} and used it: \expandafter\chopline\Image the result is the following error message: Runaway argument? aaa.png ! Paragraph ended before \chopline was complete. <to be read agai...

Uniface 7.2 and Uniface 8 on Windows 2003 Server R2
Hi all, I am Sunil and I am trying to find whether Uniface 7.2 and Uniface 9 can be run on Windows 2003 Server R2. I could not get any documentaion on the Internet. If anyone has succesfully installed and used both Uniface 7.2 and Uniface 9 on Windows 2003 Server R2, could you please share the information with us? Thanks in advance, Sunil. Sunil, We have Uniface 7.2.4 running on Windows 2003 server R2 and solid 2.3 Rob -----Original Message----- From: uniface-l-bounces@uug.org [mailto:uniface-l-bounces@uug.org] On Behalf Of Sunny Sent: vrijdag 16 oktober 2009 10:59 ...

Linux suckware: 21 minutes to copy 7.2 gb of data
"I have been experiencing a weird problem after I updated my Ubuntu to 8.10: Copying larger files/folder between partitions or hard drives takes longer than I would expect. For example, 600 MB folder ~ 25 MB/sec 7.2 GB folder ~ 5.6 MB/sec Also in same cases, when I do the copy with drag and drop and press cancel button, although the copy GUI disappears, the copying continues." http://ubuntuforums.org/showthread.php?t=1038944 I just copied a 6.9gb folder between partitions on my old WinServer 2003 system (P4, 3.0ghz, 2gb RAM, Seagate ST3250620AS), and it took less than 5 m...

Closing Parent window without prompt for Firefox 2 and IE 7
I need to know how to open a pop up and close the main window without a prompt in Firefox 2 and IE 7. Anybody have any ideas on how to do that. I currently have this and it works in IE 6 and Firefox 1.5: function windowClose() { if(navigator.appName=="Microsoft Internet Explorer") { this.focus();self.opener = this;self.close(); } else { window.open('','_parent',''); window.close(); } } Thanks, Tony Tony said the following on 2/21/2007 3:11 PM: > I need to know how to open a pop up and close the main window without > a prompt in Firefox 2 a...

Installation problem: Python 2.6.6 (32-Bit) on Windows 7 (32-Bit)
Has anyone else had problems running the msi for Python 2.6.6 on Windows 7 Professional? If I don't check "Compile .py to byte code", the installer completes without error. Checking "Compile .py to byte code" causes the following to be displayed "There is a problem with the windows installer package. A program run as part of setup did not complete as expected" 1. I have GB of disk space available. 2. I have admin privileges 3. The MD5 checksum of the downloaded installer matches the MD5 checksum on python.org 4. Run As Adminsitrator is not ...

[ANN] CGIScripter 2.35 EE for MacOS X, Windows and Linux Adds Support for FileMaker 7
CGIScripter 2.35 Enterprise Edition from .com Solutions Inc. ($50) has been updated to generate Perl CGI scripts for FileMaker Pro 7 and FileMaker Server 7 Advanced databases. Data from FileMaker 7 databases can be integrated with query results from other database servers or custom written Perl calculations without regard to scripting length or complexity. Developers can also write more sophisticated scripts to process FileMaker 7 data by selecting from thousands of open source CPAN Perl modules. The Perl CGI scripts generated for FileMaker 7 databases currently run on IIS on Windows, ... Oracle Rdb on GS1280 with 7.3-2 exceeds 1 million transactions per minute using Row Cache HP OpenVMS operating system and Oracle Rdb software break performance barrier by Marc Courchesne Recent performance tests of Oracle� Rdb version 7.1.2 and HP OpenVMS version 7.3-2 running on an HP AlphaServer GS1280 system have demonstrated breakthrough transaction performance for a single 32-processor symmetric multiprocessing (SMP) machine configured with 256 gigabytes of main memory. The AlphaServer system, together with Oracle Rdb software, achieved sustained throughput of 1,010,160 database transactions per minute. In this test, five tables with a total of one billion (109) rows were cre... How to do something every 2 minutes and know which 2 minute interval I have Consider the following code: package sim; import common.*; public class TrafficLightTester { public static void main(String [] args) { // create 4 lights Light north = new Light(STATE.GO); Light south = new Light(STATE.GO); Light east = new Light(STATE.STOP); Light west = new Light(STATE.STOP); // Create 6 STATE arrays STATE[] s1 = {STATE.GO, STATE.GO, STATE.STOP, STATE.STOP}; STATE[] s2 = {STATE.AMBER, STATE.AMBER, STATE.STOP, STATE.STOP}; STATE[] s3 = {STATE.STOP, STATE.STOP, STATE.LEFT, STATE.LEFT}; STATE[] s4 = {STATE.STOP, STATE.STOP, STATE.GO, STATE.GO}; STATE[] s... cisco ASA 5520 crashes with 7.1(2) and 7.2(1) Hello, I recently installed a cisco ASA 5520 with an IPS module. I have tried with 7.1(2) and now upgraded to 7.2(1). What happens is that the firewall works fine for a short amount of time, and then reboots itself. The time can be anywhere from 5 minutes to an hour. I had to take it out of service and put in our old firewall (a 525). Just before the ASA5520 reboots itself, it dumps its configuration to the screen, and then is followed by several lines of "not enough memory to perform show command" - then the unit reboots. During the time that it is up, it functions normally ... Better DOS than DOS, better Windows than Windows, better OS/2 than OS/2 :-))) Hello, hereby I officially announce my entry into "eCS lusers" crowd :-) Installed 1.1 entry upgrade from Warp 4 on Saturday. Until now I was at Warp 4 FP15, and the days of fixed-patched-1996-oldtimer are gone. Although OS/2 base system in eCS 1.1 does not considerably differ from CP2, the value of added software (especially SDK 4.52) made my day. I got up-to-date OS/2 with SDK and other SW for cca 109 euro (thanks to my Warp 4). Just one notice about eCS: Should have happened earlier, in Warp 3 times. And just a drop of poison for you-know-who: I was able to run all my OS/2 sof... Windows 7 Sale! - 7 Day Sale! - Product Scope 7.9 Windows 7 Sale! - 7 Day Sale! - Product Scope 7.9 - EZChangeLog Reporter 1.7 http://www.encouragersoftware.com/secureorder.htm Windows 7 SALE! For 7 Days! -$10 OFF SALE for 7 Days - We ARE Windows 7 READY! Product Scope 7.9 ($29.95, normally$39.95) and EZChangeLog Reporter 1.7 ($9.95, normally$19.95) - Special Combo Pricing - normally $49.95 -$34.95! Check our Buy Now Page for Other Specials! Never a better time (BUT a limited time) to buy Product Scope 7.9 or EZChangeLog Reporter 1.7 OR BOTH! We ARE Windows 7 ready - both 64 bit and 32 bit! Windows 7 install compatible, ...

Windows and Linux Tips #2 #2
Hi Friends, Do you need Windows and Linux Tips? Please visit the following site: http://windowsandlinuxtips.blogspot.com/ Thank you. Pavel Haque ...

Unicode thing that causes a traceback in 2.6 and 2.7 but not in 2.5, and only when writing to a pipe, not to the terminal
What is this about? It's another n~ thing, but this time in 2.x. All I'm doing is printing a str containing a character > 127. It works fine in 2.5, to a terminal or to a pipe. In 2.6 and 2.7, it fails when writing to a pipe but works fine writing to my terminal - an mrxvt.\ I really kind of want octets to just be octets, since I'm on a Linux system - it probably should be up to the user and their related software to decide how those octets are interpreted. I'm assuming that the bytes() workarounds I'm using in 3.x aren't going to work in 2.x - it loo...

ANNOUNCE: GRX 2.4.7 2D graphic library for DJGPP 2.03/2.04 uploaded.
This is the GRX-2.4.7 2D graphic library. GRX 2.4.7 is the last version of a 2D graphics library that is no longer developed nor maintained. On DOS it supports EGA, VGA and VESA compliant cards. It offers a C API beside others. Please note that I am not lobbing for still using this library because its development has stopped in 2003 and it is no longer maintained by no one. I make it available for the case that some other package depend on it. Please note also that GRX 2.4.7 is not compatible with MGRX 0.9.7. This is due to a mayor number of name clashes between the librar...

gimp 2.2 for windows and acecat 302
When I try to use the acecat 302 graphics tablet with gimp 2.2 for windows I can't use the free selection tool. The selection does not start at the point where the pen top is 'resting' and the y axis seems reversed; move the pointer down, the selection point up! Any ideas happily recieved ...