Safari vulnerability exposed in MacBook Pro hacking contest

If you bought a Mac because you thought that it was an impenetrable fortress immune from being hacked, you may want to think again.

Hackers Dino Dai Zovi and Shane Macaulay were able to hijack a MacBook Pro as part of the "PWN to OWN" contest at the CanSecWest security conference in Vancouver, British Columbia.

From the conference Web site: 

We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker.

The duo was only successful after the contest rules were relaxed after nobody had breached either of the Macs on the first day. Dai Zovi found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said. News.com's Joris Evers quoted Dai Zovi in a telephone interview from New York as saying "The vulnerability and the exploit are mine... Shane is my man on the ground."

Macaulay will take home the loaded MacBook Pro while Dai Zovi has his eye on a larger prize. He plans to apply for TippingPoint's Zero Day Initiative bug bounty program which is offering a US$10,000 prize for a previously unknown Apple bug.

Apple isn't saying anything about the exploit but you can probably expect another security update to address the Safari vulnerability in the coming weeks.