A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple's Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest "pwn-2-own" contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.

The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program. More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines.

Dai Zovi, who is not attending the conference, was recruited on Thursday night by Shane Macaulay, a friend and conference attendee. The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday (http://www.theregister.com/2007/04/19/apple_security_patch/) patching 25 Mac security holes. Macaulay described Dai Zovi's vulnerability as a client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website.

The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2.

That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari. At the time of writing, a second MacBook Pro had successfully withstood attacks. ®

Related stories

eBay pulls Vista laptop pwned in hacking contest (2 April 2008)
http://www.channelregister.co.uk/2008/04/02/ebay_pulls_hacked_laptop/
Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest (29 March 2008)
http://www.channelregister.co.uk/2008/03/29/ubuntu_left_standing/
Mac is the first to fall in Pwn2Own hack contest (28 March 2008)
http://www.channelregister.co.uk/2008/03/28/mac_hack/
So what's the easiest box to hack - Vista, Ubuntu or OS X? (19 March 2008)
http://www.channelregister.co.uk/2008/03/19/pwn2own_contest_returns/
Mozilla confirms own URL handling bug (25 July 2007)
http://www.channelregister.co.uk/2007/07/25/firefox_url_bug/
Security researchers poke holes in Safari (12 June 2007)
http://www.channelregister.co.uk/2007/06/12/safari_security_bugs/
Poisoned MP4 files threaten Winamp users (2 May 2007)
http://www.channelregister.co.uk/2007/05/02/winamp_0-day/
Apple board backs Jobs against ex-CFO allegations shock (25 April 2007)
http://www.theregister.co.uk/2007/04/25/apple_q2_revenues_2007/
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
http://www.channelregister.co.uk/2007/04/25/quicktime_vuln_fells_mac/
Apple plugs 25 security holes (19 April 2007)
http://www.channelregister.co.uk/2007/04/19/apple_security_patch/
Apple megapatch fixes multiple flaws (14 March 2007)
http://www.channelregister.co.uk/2007/03/14/apple_megapatch/
Apple releases last pre-Leopard update for Mac OS X (14 March 2007)
http://www.reghardware.co.uk/2007/03/14/apple_updates_osx/
Apple QuickTime update lances multiple bugs (6 March 2007)
http://www.channelregister.co.uk/2007/03/06/apple_quicktime_update/
The rise of zero-day patches (2 March 2007)
http://www.channelregister.co.uk/2007/03/02/zero-day_patches_interviews/
Apple patches QuickTime bug (24 January 2007)
http://www.channelregister.co.uk/2007/01/24/apple_patches_quicktime_bug/
Month of Apple Bugs scheme yields first fixes (5 January 2007)
http://www.reghardware.co.uk/2007/01/05/apple_fixes_project/
Unpatched bug bites QuickTime (3 January 2007)
http://www.channelregister.co.uk/2007/01/03/quicktime_vuln/
Month of Apple bugs planned for January (20 December 2006)
http://www.channelregister.co.uk/2006/12/20/month_of_apple_bugs/
Apple blocks Mac OS X security holes (29 November 2006)
http://www.reghardware.co.uk/2006/11/29/apple_patches_osx_security/
Unpatched bug bites Apple Mac OS X (22 November 2006)
http://www.channelregister.co.uk/2006/11/22/mac_zero_day_bug/
Skype patches Mac OS X flaw (4 October 2006)
http://www.channelregister.co.uk/2006/10/04/skype_mac_security_update/