Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.

Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.

[via Engadget]

Safari has been available on Windows for less than 24 hours, and already the hacker community is apparently tearing it to shreds. The Errata Security blog has been keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software's release (and says more are "popping up like hotcakes"). And just to be clear on the use of 0-day exploit: it means Larholm found a way to execute any piece of code on a Windows box when Safari visits a properly crafted site to successfully exploit a vulnerability on the day the vulnerability was found.

What will this mean for Safari's reputation and traction in the Windows market? I'm not really sure yet. There are any number of reasons behind Apple's decision to develop Safari for Windows, and even though a healthy pool of tech-savvy users are already tinkering with it (for better and for worse), the real results will be seen once it reaches much more of the mainstream market. One of the primary reasons (besides making it easy for Windows-based web developers to write web apps for the iPhone, of course) for SafariWin, as some are calling it, is because that tiny little search box in the upper right of a browser has become quite a revenue generator if the browser does decently in the market. When users search through that box, the browser manufacturer makes some money off the resulting ads that are displayed along with that search. Firefox reportedly made around $50-75 million last year for Mozilla because of that little search box (not bad for an open source product, eh?). You don't have to be Internet Explorer to bring home at least some bacon for your company; heck, I would bet that Opera is still in business largely due to their search box as well.

But none of these reasons will mean anything, and Safari won't generate nearly as much revenue for Apple, if it doesn't gain at least a respectable share of Windows users who are actually firing up Safari to search, browse the web, view and click on ads. But If Safari keeps getting torn apart like this within 24 hours of a release, it could gain a terrible reputation before it ever hits the radar of a crucial portion of the general public. In this new web browsing and computing world where security is everything when you talk about a browser, Safari needs to plug these exploit holes ASAP if it plans to get any farther than the fleeting front page of digg.