ISE security researchers Charlie Miller, Jake Honoroff, and Mark Daniel used a zero-day vulnerability in Apple's Safari 3.1 Web browser to hack the MacBook Air in just two minutes.
The researchers from Independent Security Evaluators (ISE) were participating in the "PWN to OWN" competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia.
Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.
That changed Thursday when attacks on default client-side applications -- Web browser, e-mail, IM -- were allowed. Using an attack code already set up on a Web site the ISE team "tricked" the judges using the MacBook into visiting the site and retrieving a file.
The team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air.
The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.
The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.