MAC Hacked via Safari
2 guys, 9 hours of work and 1 exploit in Safari = 2 17" Mac Book Pro's and $10,000 (not bad at all)

A zero-day vulnerability in Safari, the default browser for Apple's Macintosh operating system, allowed two MacBooks to crumble before the onslaught of a CanSecWest security conference attendee's hacking, aided as he was by a New York buddy with years of experience hacking Macs.

Shane Macaulay, a developer of binary security analysis tools, is going home with a 17-inch MacBook and sending $10,000 in prize money to his friend, Dino Dai Zovi. Dai Zovi told eWEEK in an interview from his apartment in New York that he was up since 10 p.m. on Thursday, following a phone call from Macaulay asking if he could help him in the CanSecWest Pwn-2-Own contest. By 7 a.m. he had the exploit in hand.

"I was up all night. I haven't slept yet," Dai Zovi said around 5:45 PST. "I sat down at 10 last night and by 7 a.m. I had a working vulnerability."

Dai Zovi said he "had some ideas" of where to attack. "I have my notes about what I've looked at, and what I haven't. I have little notes about something over here looking fishy, so check it out."

As a matter of fact, he investigated and reported to Apple a similar Safari vulnerability some two years ago.

Macaulay pwned the Mac by sending it an e-mail that directed a user to a malicious site. Upon visiting the site, the user—a CanSecWest organizer perched on the machine to protect it from physical assault—was infected with malware, without clicking on anything within the site.

On this, the last day of the security conference, none of the attendees had yet managed to convincingly molest the two laptops as of the morning. At first, the terms of the contest only stipulated that a remote attacker had to gain user access on a 15-inch MacBook or administrative privileges on a 17-inch MacBook.

On Thursday, TippingPoint sweetened the deal by pitching in $10,000 to hackers who manage to pwn the systems, in answer to hackers who shrugged off the idea of swapping a lucrative zero-day Apple vulnerability for a mere MacBook.

The value of such a vulnerability is reportedly around $20,000.

Read all about it here courtesy of securitywatch.eweek.com

Eric