And of course- where are the testing criteria listed? What specific devices are being “hacked”? What is turned on or off in the built-in and default security settings? Are the hackers given direct access to the devices?
I’m all about security - but some of these “tests” in the past really were more about social engineering (like so many Windows-based exploits) than actual flaws.
Inquiring minds want to know...
The attacks on Apple OS X all involved Safari and two or three other vulnerabilities running in either Safari plug-ins or OS X. Details of those are not released and will not be until patches are released. However, it means you are right. The White Hat hacker directs the moderator to navigate to a prepared website, then either download and run a prepared file, or click on a script invoking a plug-in which causes the vulnerability that allows the watching hacker to move in on the now vulnerable Mac. They are, essentially, proof of concept Trojans. #1 required a Safari flaw plus THREE other vulnerabilities in three other apps running simultaneously to achieve root.
The odds of any one particular user having all four of those running is probably pretty small. Safari usage itself is about 80%, then the plug-in might be only 5-10%, so that's 4 to 8%, then of those the next app may be running in the back ground may be 50% to be generous, we are down to 2 to 4%, and even if the third factor, is 25%, the risk factor is 0.5% to 1%, now add in the requirement to hit the correct website with the malicious file to download or script, and you are looking at perhaps one in 10,000 at most. This is why when you look at the statistics for OS X hacks the infection numbers are usually listed as fewer than 100 machines exploited!
Could it be dangerous? You bet. Should it be patched? Of course. It will probably be done very rapidly for Safari.