At the CanSecWest PWN to Own competition, the goal was simple - exploit a zero-day vulnerability to earn a cash prize (and take the hacked machine home with you). Contestants were given the choice of three fully patched targets: a Sonly VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1, or a MacBook Air running OSX 10.5.2.

The team of Dr. Charlie Miller, Jake Honoroff, and Mark Daniel (this team was also one of the first to discover vulnerabilities in the Apple iPhone), chose the Mac. It took seven and a half minutes to boot the MacBook, but only 30 seconds to compromise it. So how’d they do it? They tricked the judges into visiting a specially crafted website designed to exploit a zero-day vulnerability in Apple’s Safari browser.

The cash prize was $10,000 and the MacBook Air retails for between $1800 to $3000 USD. So roughly, the team earned a little over $400 a second, excluding boot time. The contest was sponsored by Tipping Point Zero Day Initiative and the exploited zero-day vulnerability was responsibly disclosed to Apple.

For further details, see “PWN to OWN Day Two: First Winner Emerges!“