Microsoft: Pwn2Own flaw already fixed in IE9

Summary:Microsoft says the vulnerability used by researcher Stephen Fewer to exploit Internet Explorer 8 has already been fixed in the RC and RTM versions of Internet Explorer 9.

VANCOUVER -- Microsoft says the vulnerability used by researcher Stephen Fewer to exploit Internet Explorer 8 has already been fixed in the RC and RTM versions of Internet Explorer 9.

During the CanSecWest Pwn2Own hacker challenge here, Fewer exploited three different vulnerabilities to hack into IE 8 on Windows 7 (SP1).  The attack included an impressive Protected Mode sandbox escape and netted Fewer a $15,000 cash prize and a brand-new Sony laptop.

In a statement released after the contest, Microsoft said it quickly determined that the remote code execution issue does not affect it's newest browser, which is slated for final release next Monday (March 14, 2011).

follow Ryan Naraine on twitter

[ SEE: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

Fewer said he had to use three different vulnerabilities to avoid multiple anti-exploit mitigations (ASLR, DEP and Protected Mode).  Microsoft has confirmed two additional flaws used at Pwn2Own but did not say if these were also patched in IE 9.

The company said a patch is currently being tested for release on "down level" versions of Internet Explorer.

Here's Microsoft's statement:

During the annual Pwn2Own competition at CanSecWest, Microsoft learned of a vulnerability in Internet Explorer 8. Microsoft quickly determined that the vulnerability has already been addressed in the RC and RTM versions of Internet Explorer 9. The update is also in the pipe for down level versions of Internet Explorer. As this vulnerability does not affect IE9, Microsoft encourages customers to take advantage of the security improvements offered by the browser which is being released to the web on March 14.

Microsoft continues to encourage coordinated vulnerability disclosure as the most effective policy for protecting the internet ecosystem. We appreciate ZDI’s practice of disclosing vulnerabilities directly to affected software companies and the opportunity to continually improve the security of Microsoft’s products. We believe that the research that comes out of conferences like this is extremely valuable; this is why Microsoft sponsors this and other researcher events around the world.

Microsoft did not say when the fix for IE 8 and down level versions will be released.

Topics: Security, Enterprise Software, Microsoft


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.