There's a hole in Safari, dear Liza
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.
Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!
Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.
As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.
Thanks to everyone who sent this in!
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we...