CanSecWest organizers offered a Fujitsu U810 laptop running Vista Ultimate SP1 to any security researcher who could find a way to breach security and gain access to the contents of system files using a previously undisclosed zero-day attack.

Shane Macaulay from Security Objectives won the laptop by exploiting an Adobe Flash zero-day vulnerability. The vulnerability was disclosed to Adobe, which is reportedly working on the issue. No other information is available about the Adobe flaw. Macaulay also won a $5,000 cash prize.

At the end of the last day of the three-day hacker challenge, which was sponsored by 3Com's TippingPoint , only the Sony VAIO laptop running Ubuntu (Linux) was left standing.

Shifting Rules

The first day of the contest, hackers were only allowed to hack into the computers over a network . No one was able to claim the prizes. On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages.

That rule change made it possible for Charlie Miller, a researcher at Independent Security Evaluators, to hack the MacBook Air using the Safari browser within two minutes.

But the Vista and Ubuntu laptops seemingly remained airtight. On the third day of the contest, the judges again broadened the rules, opening up the scope beyond just default installed applications on those laptops to any popular third-party application, such as Adobe's Acrobat Reader, the Firefox browser, and voice-over-IP program Skype.

Macaulay installed Adobe Flash on the laptops and proceeded to compromise the system. Macaulay had some help from Security Objectives colleague Derek Callaway and independent researcher Alexander Sotirov.

Means Justifies the End

Contests such as this tend to be high profile and gain a great deal of attention, but people need to realize that similar vulnerabilities are discovered every day and many stay hidden in the underground where they are used by attackers for some time before they're patched, according to Michael Sutton, director of security research at Safe Channel and a former director at VeriSign iDefense.

"Third-party researchers deserve to be rewarded for the considerable work that goes into uncovering vulnerabilities, so long as they handle the issues responsibly and report them to the appropriate parties to ensure that patches are created and distributed," Sutton said. "In this case, the contest does just that, so the end justifies the means."

Client-side vulnerabilities like the ones exploited in the hacking contest are an increasingly popular attack vector. It's easy to protect a single server that's guarded by a well-designed fortress of controls, Sutton explained, but it's a nightmare to secure thousands of client-side applications under the control of nonsecurity-savvy end users.