To generate interest in the contest, 3Com's TippingPoint division tempted technology gurus with a $10,000 prize in exchange for demonstrating how to breach a Mac through a Web browser vulnerability.

As it turns out, by enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can exploit the QuickTime bug, leading to arbitrary code execution, according to an Apple bulletin.

The bug is considered "very serious," Apple said, and can be exploited through any Java-enabled browser, including Microsoft 's Internet Explorer 7, Mozilla's Firefox, and Apple's own Safari. The vulnerability affects Macs and Windows PCs.

Apple's Quick Response

Michael Sutton, a security evangelist at SPI Dynamics and former director of VeriSign iDefense Labs, said he was encouraged to see Apple respond to the threat in just over one week.

"Given that the vulnerability was used at a large computer security conference, the likelihood that it would leak to others is high," Sutton noted. "The concerning issue here is that a war chest of exploits exist that have yet to be reported to vendors."

The QuickTime flaw, Sutton continued, is a situation in which a researcher hadn't yet completed work on a particular exploit, but had incentive to do so when cash and a free laptop were on the line.

"The challenge for vendors going forward is to open a line of communication with the researchers that are discovering these vulnerabilities and encourage reporting as quickly as possible," he concluded.

Gartner Condemns Hack Contest

Gartner's security experts condemned the hack-a-Mac challenge. A duo of Gartner analysts described it as a "risky endeavor" and urged sponsors to reconsider public contests along those lines in the future.

In a research note that Gartner published on Monday, analysts Rich Mogull and Greg Young said, "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements."

The pair went on to note that vulnerability research is an extremely valuable endeavor for ensuring more secure I.T. However, conducting vulnerability research in a public venue, they added, could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers.