PWN to Own Hack-a-Mac Contest

This contest was ongoing while we were out at CanSecWest Conference. As it turned out, the initial rules had to be relaxed to allow for a larger attack surface, when no one was able to own the Macs. After this happened, Dino Dai Zovi and Shane Macaulay (K2) worked together to compromise a Mac. How did they do this? By finding a new vulnerability in Safari browser, and crafting a 0-day exploit for the vulnerability in Safari.

The point here is that in the real world, an attacker would not have to 'adhere' to any rules of engagement when compromising a system. The attacker will simply go for the path of least resistance when figuring out what to exploit (e.g., vulnerable web browsers). It's not entirely surprising that there's a new vulnerability and exploit for Safari. This just goes to show that there are still a lot more web browser bugs and vulnerabilities that have yet to be found.