The MacBook hijack required that Safari opened a specially rigged Web site (Techmeme discussion).
Dai Zovi is credited with finding the flaw and writing the exploit. Macaulay, who was at the conference and served as the man on the ground, keeps the hijacked MacBook while Dai Zovi will put in a claim for the $10,000 bounty offered by TippingPoint's Zero Day Initiative.
Here's the formal announcement from CanSecWest organisers:
At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)More from Matasano Security and Joris Evers.
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.