Note, all of these security patches had been added to the target computers.
By two people on an insecure network, and it required one of them to sit at the machine. And they lowered security to try to achieve that result.
I'm not saying Mac OS is completely bulletproof -- this isn't the first potential exploit in the wild. And of course, no system is secure if the luser is dumb enough to download an app or open an e-mail attachment and then type in a password.
But I have yet to see or hear of OS X spyware, viruses or trojans in the wild. And it's certainly not something any script kiddie can do. The closest thing I've seen is one site where a white-hat used a known exploit to save a text file to my hard drive to warn of a vulnerability back in about 10.2 -- I blocked the applicable port, and Apple patched it soon after.
Note, all of these security patches had been added to the target computers.
I"m nt so sure of that -- the 2007-004 patch was released Thursday, after the contest had begun -- the head of the contest says "all the latest" patches were applied, but it's not clear when he said that or whether he'd heard of the brand-new one. That said, it doesn't really matter, because the 2007-004 documentation doesn't say anything about it patching a Safari vulnerability.