updated 10:05 pm EST, Wed March 9, 2011
Team exploits WebKit vulnerability
Security researches from the French company Vupen hacked a MacBook running Safari to win the recent Pwn2Own hacking contest this week at the CanSecWest security conference. The group discovered and exploited an unpatched vulnerability in Safari's WebKit engine. The browser was directed to a website designed to take advantage of the flaw, enabling the hackers to remotely launch the calculator application and write a file to the disk.
The team of three researchers claimed to have spent several weeks to hone in on the potential vulnerability and build an exploit, according to a ZDNet report. Despite the apparent ease in which the group compromised the system, Vupen co-founder Chaouki Bekrar suggests it was a "somewhat difficult" challenge to create an exploit for the 64-bit version of Mac OS X.
"There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results," Bekrar said. "But it's much more difficult to exploit it on x64 and to make your exploit very reliable."
The successful hackers were awarded with $15,000 in cash, along with a 13-inch MacBook Air.