At the recent CanSecWest conference, Shane Macaulay and Dino Dai Zovi worked in tandem to successfully break into a MacBook Pro running OS X by using a zero-day exploit. Initially thought to affect only OS X, the security flaw is now believed to also affect Windows platforms.

The CanSecWest organizers issued an open invitation for all comers to attempt to break into one of two MacBook Pro systems running OS X. Whoever could do so successfully would win the computer. TippingPoint (a division of 3Com) added to the challenge by offering a $10,000 cash prize in exchange for exclusive rights to details about how a break-in was accomplished. TippingPoint is known to pay for exploit details as part of its Zero Day Initiative program that "\[rewards\] security researchers for responsibly disclosing discovered vulnerabilities."

The flaw was discovered by Zovi. Since he wasn't at the conference, Macaulay, who was there, executed the exploit to win the challenge. The exploit involves Apple QuickTime media player used in combination with Java. Macaulay set up an OS X server on the conference network and then had a conference worker enter a specific URL into the Safari browser running on the MacBook. The URL led to a server run by the team, which launched the exploit without any further user intervention. Macaulay then gained shell access to the MacBook system.

The flaw is considered to be very dangerous because a user's system can become completely compromised by simply clicking a URL that leads to a server that hosts hostile code.

TippingPoint notified Apple about the flaw on April 23. No information is available yet as to when Apple might issue a security patch to fix the problem. However, users can defend themselves in the meantime by disabling Java on systems where QuickTime is installed.