VANCOUVER â€” A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Appleâ€™s Safari browser to win this yearâ€™s Pwn2Own hacker challenge.
VUPEN co-founder Chaouki Bekrar (right) lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.
The hijacked machine was running a fully patched version of Mac OS X (64-bit).
In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.
VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X Snow Leopard.