The hacking challenge kicked off at 3:30 p.m. PT, slightly later than scheduled, at the CanSecWest security conference, which runs March 9-11 in Vancouver, British Columbia.
A team from the French security company Vupen walked off with $15,000 and a new MacBook Air after exploiting an unpatched vulnerability in Safari.
“Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest,” Vupen said Wednesday afternoon on its Twitter account several hours before the contest began. “This breaks some exploits but not all!!”
TippingPoint’s Peter Vreugdenhil said the browsers were “frozen” two weeks before today’s tip-off with the then-current versions of Safari, Google’s Chrome 9, Microsoft‘s IE8 and Mozilla’s Firefox 3.6, to give researchers a stationary target.
“Exploit development does sometimes rely on certain versions and that is the reason we have frozen the devices,” Vreugdenhil said in an e-mail today.
This was the first time in four years that Safari had fallen to someone other than Charlie Miller, an analyst with the security consulting group Independent Security Evaluators (ISE), and co-author of The Mac Hackers Handbook. Miller won at Pwn2Own in 2008, 2009 and 2010 by exploiting Safari.