During the CanSecWest Pwn2Own hacker challenge here, Fewer exploited three different vulnerabilities to hack into IE 8 on Windows 7 (SP1). The attack included an impressive Protected Mode sandbox escape and netted Fewer a $15,000 cash prize and a brand-new Sony laptop.
In a statement released after the contest, Microsoft said it quickly determined that the remote code execution issue does not affect it's newest browser, which is slated for final release next Monday (March 14, 2011).
Fewer said he had to use three different vulnerabilities to avoid multiple anti-exploit mitigations (ASLR, DEP and Protected Mode). Microsoft has confirmed two additional flaws used at Pwn2Own but did not say if these were also patched in IE 9.
The company said a patch is currently being tested for release on "down level" versions of Internet Explorer.
Here's Microsoft's statement:
During the annual Pwn2Own competition at CanSecWest, Microsoft learned of a vulnerability in Internet Explorer 8. Microsoft quickly determined that the vulnerability has already been addressed in the RC and RTM versions of Internet Explorer 9. The update is also in the pipe for down level versions of Internet Explorer. As this vulnerability does not affect IE9, Microsoft encourages customers to take advantage of the security improvements offered by the browser which is being released to the web on March 14.
Microsoft continues to encourage coordinated vulnerability disclosure as the most effective policy for protecting the internet ecosystem. We appreciate ZDI’s practice of disclosing vulnerabilities directly to affected software companies and the opportunity to continually improve the security of Microsoft’s products. We believe that the research that comes out of conferences like this is extremely valuable; this is why Microsoft sponsors this and other researcher events around the world.
Microsoft did not say when the fix for IE 8 and down level versions will be released.