The annual “Pwn2Own” contest has just kicked off at CanSecWest, and Apple was the first to fall. A fully-patched Snow Leopard machine running Safari was made to launch an application (Calculator) and write a file, just from visiting a specific web page. It didn’t even crash the browser!
The exploit is in Webkit, meaning it could potentially apply to iOS browsers as well, though that has yet to be demonstrated. And to be fair, most of the other browser/OS combos will get taken down over the next couple days as well.