In the long run, does it really matter? Seems to me (a guy who doesn't download a lot of crazy stuff) that the commercial software got hacked because they were better targets. OS X and Vista were bound to be hacked. And by hacked, I mean, use vulnerabilities in programs installed on the OS.

I'm not flaming the fire, but it just sounds like bickering to bicker. All 3 seemed to be very secure during the competition. My .02...and not worth a whole lot more.

Jsembower

A scheduled release does not guarantee a stable version of the patch. Also, Adobe, and even MS or Apple, should not be responsible for user stupidity. It is unfair to expect these companies to account for every possible stupid mistake that the user is going to make. Should MS be held responsible if some user deletes some file that makes their system no longer work? How about if they turn off all the security measures? Is it still the fault of MS or Apple? The hacked machines were only hacked due to the fault of the user, not that of the software. Also, Linux isn't even close to "impenetrable" if a user opens up the same possible vulnerabilities someone can hack into a Linux machine too. I'm all for open source as the next guy, but the reality is that the quality of open source will, in general, never live up to that of commercial software.

egojab

@digodemais: as opposed to linux?

f1sh3r

@mcg1969 & barfoo: whilst it's true that it's important for companies to test their software patches before releasing them, in this case Adobe have known about the fault since before the competition, have been working on it and have now scheduled a release date for the fix - surely if they've reached the point that they can schedule a release date, then it's ready to go and should just be released ASAP, no?

Step666

And this is why open-source is so great (or why linux wasn't hacked). See a security problem, report it. If its not patched by the distributer, any security minded individual can grab the source and fix it himself, and/or release it.

esecasco

Software companies are damned if they do and damned if they don't: if they release a patch prematurely, and it breaks stuff, we complain. If they wait until it's fully tested, we complain. How long it takes to implement and text a fix will vary, depending on the flaw, but you can't expect Adobe or anyone else to just put an untested fix out there, especially when there are no exploits in the wild. Also, rolling multiple fixes up into major patches makes more sense than incremental fixes for every little hole discovered. Hence Microsoft's Patch Tuesday, Apple's humongous OS X updates, etc.

Also, it's not clear that this hole wouldn't affect Linux as well; the people who cracked the Vista laptop apparently did so because it was a better machine.

barfoo

"I run vista and I did your sista"
LMAO!!!!!
Funniest.Caption.Ever!
x'D

Simpsons-Movie-ruled

When a software company finds a flaw that is a security risk, what are the procedures that they must follow before releasing it. I kinda wanna know how long it usually takes to fix a problem, test it, and release it. I think its good that adobe knew of the problem at least, but really dont hate adobe yet because i know i definitely do not know what needs to be done to fix this problem. Any people here have any insight on how this works?

Papsky

Wow that's pretty lame. I still don't like Vista though but now I'm positive that it's not all Microsoft's fault.

CarbonatedWater

The funny thing about mac is that what makes it "safer" is the fact that not a lot of people use it. Since only a small percentage of users are of the "1337" population, you have a much better chance of staying away from viruses and hackers on a mac.
Apple should stop running ads, if their user base gets too big they're screwed.

digodemais

Thankfully, Adobe were not in the dark about the security risk, however, if they were in the know, don't you guys think they have a responsibility to release the fix ASAP?

How do you know they're not releasing it ASAP? Do you not think it is reasonable that companies should test updates before they release them?

mcg1969

I don't know about you guys but I consider a true hack to be something that doesn't require the stupidity of the victim. Freeporn.exe is a trick.

thechansen

I hate adobe now. Hate.

Knight-Zero

surely if they've reached the point that they can schedule a release date, then it's ready to go and should just be released ASAP, no?

A schedule does not always indicate working code. Otherwise, we'd be working on Windows OS 7 or whatever the hell is going to come around.

That said, I expect they had the fix roughly finalized. The issue, however, is that as I've pointed out above, such exploits don't present a lot of harm immediately.

Tell me, if Mac OS X, Adobe, Microsoft Office for Mac (a major security risk, surprisingly), chat clients, Flash, your PDF reader, Steam, Firefox, Opera, and a couple other programs had updates to download and install every other day, how many people do you think would actually update them regularly? For some of these programs, that is the rate that known exploits and fixes come out, and I know people that complain enough already about the endless Firefox and Windows patches every month.

I can't believe I'm defending Mac and Adobe, here -- I personally hate both of them (I'd rather use a terminal window than OS X's interface, and I'd rather code html by hand than deal with friggen PDFs) -- but this isn't a bad act by them.

gattsuru

Well regardless its fair to say that OS X was hacked by flaw the Apple had a responsibility for whereas Vista was hacked by a flaw that Microsoft didn't have a responsibility for.

But also to agree with another post. It is all user stupidity, and Apple or Microsoft shouldn't be responsible (beyound plugging flaws) for people doing stupid thing. Its amazing when people ask me to fix their computer what they have managed to download and install. Some people don't even have anti-virus installed or their memory or hard drive is failing or have bad graphics card drivers and yet turn around and blame Microsoft. And the manafutures perpetuate this lie by not taking responsibility for bad drives and hardware and would rather their users think Sony/Dell/HP/IBM is perfect and its all Microsoft's fault.

LJKelley

OSX, fashion and nothing else.

ProSeven

if they were in the know, don't you guys think they have a responsibility to release the fix ASAP?

Generally, no.

Software vulnerability patching isn't like dealing with normal computer issues. Simply having a known issue doesn't mean that issue will be used, or be dangerous. There's a period of time before black hat hackers will come up with a working bit of malicious code based on it, and even once they've done so, malicious code usually follows some rather specific growth patterns that mean it won't be hazardous on a wide scale for a period of time. Mail code exploits, for example, might only multiply a couple of times a day, meaning that they might not infect a truly large number of people for a while.

Where a normal code issue -- for example, losing data under specific actions -- is going to have negative results directly proportional to the amount of time that program is used and the number of people using it, security flaws are very unlikely to cause harm in general early on. Compare that to the results of a hurried patch, which could cause its own type of issues (crashes would be the most common, but poorly designed code has been known to accidentally delete data in outlier cases, like that of the recent EVE Online change)... and it's not so relevant to release as early as possible.

Even when a patch is released, it's not really sure to fix an issue. The infamous Code Red and Nimda malicious code used exploits that had had been known and patched for a month, if not longer. Code Red still managed to reach nearly four tenths of a million IIS servers during the height of its reign. That's not normal user machines, that's server-side Windows stuff, with owners who are supposed to know better. Unless you force them, people are slow to update.

gattsuru

A cursory reading of the cited article CLEARLY shows Adobe HAD a fix. They chose to delay it for reasons OTHER than testing.

It turns out that Adobe was already aware of the issue and had even patched it, but simply has not yet released the fix: "After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month," Erick Lee wrote on the Adobe Product Security Incident Response Team (PSIRT) blog.

lianna_g

Oh well... does it really matter? Folks are going to run whatever OS they want.

I run Vista because I like it. Finally, a version of Windows where you don't need virus scanning software.

yoshi

One never needs a REASON to punch Mr. Smug Mac in the face!

icntdrv

Pro seven, dolt and nothing else.@ProSeven: OSX, fashion and nothing else.

Appletard

Given that the Mac was hacked first anyway and virtually no-one really gives a toss about Linux on a PC, does this really matter?

Sleeper_Service

You have to ignore the Ars Technica report to make your assertions. I guess if that works for you, it works for you. It didn't work for the Ars Technica crew. Here's what they said:

On the one hand, Adobe looks good because it wasn't clueless on the subject of the flaw in question but, on the other hand, a fix should have already been released. I do not doubt that Adobe would have shipped the new version of Flash sooner if there were exploits in the wild. Still, the fact that the new version is not available yet provides further evidence of how dependent the security of an operating system is becoming on third party software.

lianna_g

i just have to say that pic is ridicolous

Manve

This contest was practically designed to start flamewars. People are pretty much going to keep their opinions on their OS no matter what, so it's not really important.

strobefx

@lianna_g: I don't know if Adobe has done the right thing here, and they might well be in the wrong. I just think knee jerk reactions on either side are silly. There are legitimate reasons a patch doesn't come out right away as well as illegitimate ones. It makes little sense to argue about particular cases without knowing the details; it's much more useful to look at a company's overall track record.

barfoo

@thechansen: Where can I get a copy of freeporn.exe? LOL

Gary_7vn

The flaw they used to hack Vista also would work for Linux and Mac OS X because its a Flash flaw. The guy choose to hack Vista because he "was more familiar with it" and had worked with Microsoft operating systems in his career.

waterdrop

Shocker. I heard that it was a Java exploit that allowed the hackers to get in to Vista. O well I'm switching to Mac soon, even though they got that first.

CGrant

Question: the Pwn2Own competition revolves round the winner uncovering a new security flaw and exploiting it - if Adobe knew about this hole, then does it still count as 'new' and are the two guys who cracked Vista still entitled to their laptop?

Step666

@ProSeven: [lex-wrong.ytmnd.com]

cyborgtroy

$10,000, a laptop and all the free publicity you can eat for your business is 'essentially nothing'?

Sheesh. Tough crowd.

Sleeper_Service

The guys who hacked these systrems really got pwned by being stupid enough to do security testing for huge corporations for essentially nothing. They sold themselves too cheap.

Gary_7vn

Mac sucks a$$!

Tohe

@storm: wow. someone should get you on def comedy jam or something. you pwn dude.

Jackson P

If this contest is the best and only thing you have against Mac, then you're plainly lame.

And if Vista runs nice for your machine, great (My 4-core 3GHz Xeon machine with 4G of RAM and decent video cards doesn't get THAT job done, but hey, it's "secure").

But since we're just apparently throwing pseudo-memes out there (e.g., Mac is only secure because "no one" uses it), here's some for you:

(1) Only people who are too poor to afford Macs, too stupid to figure them out, or who have never seen them make fun of them.
(2) Only people who love taking it in the ass from big corporations like Microsoft, Adobe, or Apple blame the user
(3) Only people who've only had sex with Rosy Palmer use Linux, or think that most people are "stupider than I am" (How's that mentality working out for you?)
(4) George W Bush is a good president

All are equally as false as the kind of crap I'm reading here about Mac and Linux.

storm

@storm: So much anger over so mundane a thing as another man's opinion. You won't be winning over any minds with your current approach.

hooked-on-tronics

Fanboys and supporting different OSs aside, Adobe should immediately release security patches for any product of theirs on any platform (OSX, Windows, etc) whenever they finish the patch.

What is the point on holding out on releasing a security patch?

Lstormy10

I heard this story once about opinions and assholes both having foul odors. I'm not sure if its true but it deserves more research.

thechansen

Blog fodder.

strider_mt2k

@Step666: well in that case, the Safari flaw that they used would also disqualified it, as it was a known flaw that required the user to cause the hack to happen (ie they authenticate the attack themselves)

the basic rundown is the pwn2own contest was a fraud. they couldnt hack the machines on the first day, so they allowed for hacks that are more trojans than actual hacking on the second.

Falconfire

what?! you mean some large corporation decided not to give a shit about the little guy? Say it ain't so Jo!

BigViper

@LJKelley:

I couldn't agree with you more.
I also repair computers for the general public, I find it a never ending battle to defend Microsoft when I know damn well that failed hardware isn't their fault. I have even had people blame MS for a bad back light in there LCD monitor, when it was clearly labeled DELL on the front! (Not to bash DELL, it just happens to be a Dell this time.)

As for the hacking, why would you install anything but a fresh OS load with updates on to a system when you enter it into a hacking competition? That's unfair in my opinion.

I call a do over! Who's with me?

--Deamion.

Deamion

@Deamion: You don't need a do-over. Every OS is flawed and can be hacked. It's just matter of finding someones crap code.

Joseph

The contest was flawed from the onset. No one cracked the Linux box because no one tried. If you hate corporate-controlled software and love open source, as many hackers do, chances are you're not going to show off how the open source OS can be cracked.

Ironically though, the fact that the Mac was the first to crack bodes poorly for open source and standards. Mac was cracked through Safari, which uses an open source engine. Mac OS X Leopard is fully UNIX compliant, which means there are hackers who literally have decades of experience with its programming standards (even Apple admitted way back at the launch of OS X that switching to UNIX meant increased vulnerability). If anything, the contest reveals the weakness in open source and standards.

sumocat

@storm:

Deep down your just upset that OS X "Leopard" (growl) was taken out first. Leopard is an "OK" operating system though.

It gets better with each update they send out weekly/bi-weekly.

yoshi

@mcg1969: Agreed. ASAP has become cliche. It should be ASAAP,
As Soon As ADMINISTRATIVELY Possible. Creating, testing and implementing updates is a systematic process that, unfortunately for the consumer, has a heirarchy of steps that can render an 'update' archaic before its even completed and released.

Look at the Chicago CTA, El, system. The city's current upgrade project will cost hundreds of millions of dollars when its completed in 2009 and will be already outdated by a friggin decade.

N@tedog

Ubuntu Kicks Ass. Best decision i ever made.

nutbastard

@nutbastard:

Ubuntu Kicks Ass. Best decision i ever made.

Just because you run a completely secure and open source operating system that is free does not mean you deserve to rub our noses in it. Show-off.

Monty

@esecasco:

This is a ridiculous argument, Adobe's Flash player isn't open source.

Furthermore, the theory held by armchair security researchers / sheeple compsci majors that "thousands of eyeballs make all bugs shallow" hasn't held up worth a darn in general. On of the most scrutinized codebases on the planet (BIND) has had uncounted number of eyeballs peruse the code yet still vulnerabilities are found.

But hey keep on the "open source r0x0rz" bandwagon because independent thought might be really hard.

xracer

The best part of all the fall out from the pwn2own contest was the quote from the guy to took down Vista: He said that the same flaw would take down Linux, but he just didn't want to bother.

So, Linux is more secure because no one gives a rat$ a$$? Now *that's* funny.

blue moon

why does everyone keep posting that the ubuntu machine was impenetrable, when they clearly said there were exploits, they just didn't want to put in the time to do the code...it makes the OS sound better than it is.

drtigerlilly