A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple's Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest "pwn-2-own" contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.

The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program. More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines.

Related stories

• eBay pulls Vista laptop pwned in hacking contest
• Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest
• Mac is the first to fall in Pwn2Own hack contest
• So what's the easiest box to hack - Vista, Ubuntu or OS X?
• Mozilla confirms own URL handling bug
• Security researchers poke holes in Safari
• Poisoned MP4 files threaten Winamp users
• Apple board backs Jobs against ex-CFO allegations shock
• QuickTime, not Safari, to blame for MacBook vuln
• Apple plugs 25 security holes
• Apple megapatch fixes multiple flaws
• Apple releases last pre-Leopard update for Mac OS X
• Apple QuickTime update lances multiple bugs
• The rise of zero-day patches
• Apple patches QuickTime bug
• Month of Apple Bugs scheme yields first fixes
• Unpatched bug bites QuickTime
• Month of Apple bugs planned for January
• Apple blocks Mac OS X security holes
• Unpatched bug bites Apple Mac OS X
• Skype patches Mac OS X flaw

Dai Zovi, who is not attending the conference, was recruited on Thursday night by Shane Macaulay, a friend and conference attendee. The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday patching 25 Mac security holes. Macaulay described Dai Zovi's vulnerability as a client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website.

The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2.

That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari. At the time of writing, a second MacBook Pro had successfully withstood attacks. ®

More comments…