TippingPoint held another contest last week, which involved hacking a couple of fully patched Apple products, like the Apple MacBook Air. Reportedly it was hacked under two minutes by Charlie Miller's team. And guess what? they've exploited a Safari bug. That is right, the browser. It doesn't come as a surprise actually, since Safari is just the lamest browser ever. I was hoping they would exploit something very exotic instead of attacking a browser to gain access to the machine, but this was not the case. It sure shows again that browsers are an important attack vector to compromise a machine remotely. On the last day, Microsoft VISTA was also hacked due to a flaw in the Adobe Flash plugin.
I haven't played much with Safari yet, since it crashed a couple of times when I tried to install it. But given it's history of a ton of vulnerabilities involving QuickTime and other plugins, it really doesn't come as a surprise. I believe in hacking browsers, for this reason alone. The browser is a critical bridge between surfer safety and a total compromise.
