Apple Safari hacked in matter of seconds

A security researcher has hacked into a fully-patched Macbook in seconds by exploiting a security flaw in Apple's Safari browser, according to reports.

Security analyst Charlie Miller won a thousand dollar prize and a new Macbook at Canada's CanSecWest security conference in its Pwn2Own contest, an annual hacking competition pitting researchers against browser technologies.

Ryan Naraine, a security evangelist for Kaspersky, was twittering and blogging from the event.

Naraine said that Miller used a drive-by exploit that he had already tested carefully, after coming to the conference with a plan to hack into the browser.

Miller said: "It took a couple of seconds. They clicked on the link and I took control of the machine."

Miller won the contest last year when he managed to hack another fully patched Macbook, that time "only" in minutes.

Naraine said that TippingPoint's Zero Day initiative acquired exclusive rights to the vulnerability and would coordinate the disclosure and patch release process with Apple.

Microsoft's new Internet Explorer 8 browser and Mozilla Firefox lasted longer, but were also hacked in the first day of the conference.

A security researcher called "Nils" took full control off a Sony Vaio running Windows 7 using a drive-by download attack. Microsoft's security response team was reported to have witnessed the exploit.

"Nils" was also the second hacker to beat Safari, and also exploited a Firefox zero-day flaw.

Perhaps surprisingly, Microsoft pledged its support to the competition.

Sarah Blankinship, security strategist for Microsoft's Ecostrat team, said in a blog post that good security dictated that you couldn't hide from the truth and every issue was an opportunity to learn and improve.

She said: "We recognise that all vendors' products may be found vulnerable.

"Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering."

Apple declined to comment, while Mozilla had not responded to our request for comment at time of writing.