Using a zero-day vulnerability in Adobe’s ubiquitous Flash Player, hacker Shane Macaulay hacked into a Windows Vista laptop to win a $5,000 cash prize at this year’s CanSecWest Pwn2Own challenge.
Macaulay, who uses the “K2” hacker moniker, also won the Fujitsu U810 laptop running Windows Vista Ultimate SP1 that he hijacked with the exploit.
According to sources at the conference, the Adobe Flash vulnerability is “cross-platform.”
Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the CanSecWest Pwn2Own challenge. Officials from ZDI have confirmed the unpatched nature of the flaw and are coordinating the disclosure process with Adobe.
Earlier in the week, security researcher Charlie Miller hijacked Apple’s MacBook Air with a drive-by exploit against the Safari browser. That exploit carried a $10,000 cash prize, plus the hacked laptop.
A Sony VAIO VGN-TZ37CN machine running Ubuntu 7.10 “Gutsy Gibbon” was the only laptop left standing after the three-day challenge.