That's How Rumors Start

5:15 PM -- When you dangle $10,000 and a free MacBook -- OK, anything free -- in front of a group of hackers as a challenge, you'd expect exploits to come fast and furious. But the hack-a-MacBook Pro contest (pwn-2-own) at last week's CanSecWest confab in Vancouver took on a life of its own the past few days, with rumors of a hacker lifting the winning exploit off an unsecured WiFi network and the frightening possibility of imminent and widespread attacks.

Cries of "disable Java in your browser" reverberated across the blogosphere, as revelations came to the surface that the QuickTime bug not only applied to the Safari browser that was used in the contest, but also to Firefox and Internet Explorer, expanding the scope of the bug. It also not only affects OS X, but Windows, too.

Turns out the blogosphere bit itself in the backside. There is no proof the blogger claiming to have grabbed the exploit (InfoSec Sellout) did so, and the network over which the contest ran was a secure, wired network, under supervision, according to CanSecWest officials. The latest: InfoSec Sellout's words were mischief-making rather than malicious. But boy, did they cause a stir.

The frantic search for exploits by researchers came amid a backdrop of debates over whether 3Com/TippingPoint had gone too far with the prize that gave the company "ownership" of a potentially big bug, and then announcing that its customers were safe and sound. But Terri Forslof, manager of security response for TippingPoint, says the company was approached by CanSecWest organizers at the show to purchase the winning exploit. "I said yes as long as it meets the standards of our program, and it's responsibly reported."

"The important thing is that by putting the bounty on this bug and purchasing it through our Zero Day Initiative program, we were able to ensure responsible disclosure of it." And, Apple had the bug within 30 minutes of the contract being signed for it, she adds.

The QuickTime vulnerability affects Java-enabled browsers on all browser platforms, she says.

So for now, the best defense is to disable Java in your browser, according to Thomas Ptacek, a researcher at Matasano Security.

But what we really want to know is what the winning hacker, Dino Dai Zovi, will do with that $10K? My guess is he won't be buying a new MacBook Pro.

— Kelly Jackson Higgins, Senior Editor, Dark Reading