The bad news is that late last week, at CanSecWest, a researcher was successful in breaking into a fully-updated MacBook as part of the hack-a-Mac contest there. But there's lots of good news too.

The conference organizers made two MacBooks available on their network, saying that anyone who broke into them successfully could take them home. A $10,000 prize was also added to the pot. One piece of good news is that no one was able to simply break in while the Macs sat passively on the network (a situation which has led to a number of serious Windows worms over the years). At that point, the organizers started allowing people to submit URLs that the MacBooks would then pull up in Safari. The assumption was that these URLs would be to malicious Web sites that would exploit a flaw in Safari that would allow the machine to be taken over. After 9 hours or so, that's exactly what happened to one of the MacBooks (the second MacBook was never taken over, even with the more relaxed rules, another piece of good news).

The winning researcher, Shane Macaulay, actually teamed with a remote researcher,  Dino Dai Zovi, who reportedly had previously spent time looking at Mac OS X and related applications for similar exploitable bugs. Dai Zovi until recently worked for security firm Matasano. Postings on the Matasano Web site imply that the bug is in the Java implementation within Safari, and other Web browsers as well. If this analysis is correct, turning off Java until Apple has a fix should provide adequate protection. Since Java is not necessary for most sites, this temporary solution is another piece of good news. It's also likely that, although the bug is in both Intel and PowerPC versions of the browsers, the full exploit only works on Intel versions.

Finally, the fact that the Macs did not fully survive the contest is even good news in many ways. No OS is prefect, and the further you get from the OS, the less perfect things often are. Web browsers are particularly vulnerable, and Java implementations (if that's really where the flaw is) even more so. The Mac's failing this test in this way is no surprise (in fact we said here previously “there’s a real chance that the Mac may not withstand this serious challenge”). There will no doubt be more negative press than the issue deserves, but in many ways Mac users need to be over-exposed to such issues because they are, in general, way under-exposed in terms of their awareness of these issues. Most Mac users (readers of this blog excepted, of course) have taken Mac security for granted way too long. Perhaps the Mac's “losing” this contest, and the resulting hubbabaloo will help to change that situation.