Microsoft: Pwn2Own flaw already fixed in IE9

Microsoft: Pwn2Own flaw already fixed in IE9

Summary: Microsoft says the vulnerability used by researcher Stephen Fewer to exploit Internet Explorer 8 has already been fixed in the RC and RTM versions of Internet Explorer 9.

SHARE:
15

VANCOUVER -- Microsoft says the vulnerability used by researcher Stephen Fewer to exploit Internet Explorer 8 has already been fixed in the RC and RTM versions of Internet Explorer 9.

During the CanSecWest Pwn2Own hacker challenge here, Fewer exploited three different vulnerabilities to hack into IE 8 on Windows 7 (SP1).  The attack included an impressive Protected Mode sandbox escape and netted Fewer a $15,000 cash prize and a brand-new Sony laptop.

In a statement released after the contest, Microsoft said it quickly determined that the remote code execution issue does not affect it's newest browser, which is slated for final release next Monday (March 14, 2011).follow Ryan Naraine on twitter

[ SEE: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

Fewer said he had to use three different vulnerabilities to avoid multiple anti-exploit mitigations (ASLR, DEP and Protected Mode).  Microsoft has confirmed two additional flaws used at Pwn2Own but did not say if these were also patched in IE 9.

The company said a patch is currently being tested for release on "down level" versions of Internet Explorer.

Here's Microsoft's statement:

During the annual Pwn2Own competition at CanSecWest, Microsoft learned of a vulnerability in Internet Explorer 8. Microsoft quickly determined that the vulnerability has already been addressed in the RC and RTM versions of Internet Explorer 9. The update is also in the pipe for down level versions of Internet Explorer. As this vulnerability does not affect IE9, Microsoft encourages customers to take advantage of the security improvements offered by the browser which is being released to the web on March 14.

Microsoft continues to encourage coordinated vulnerability disclosure as the most effective policy for protecting the internet ecosystem. We appreciate ZDI’s practice of disclosing vulnerabilities directly to affected software companies and the opportunity to continually improve the security of Microsoft’s products. We believe that the research that comes out of conferences like this is extremely valuable; this is why Microsoft sponsors this and other researcher events around the world.

Microsoft did not say when the fix for IE 8 and down level versions will be released.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • RE: Microsoft: Pwn2Own flaw already fixed in IE9

    Ok, so until March 14th, hackers are free to do as they wish?
    tatiGmail
    • RE: Microsoft: Pwn2Own flaw already fixed in IE9

      @tatiGmail
      Malicious hackers are <i>always</i> free to do as they wish if they are determined and clever enough. This applies to all OS's.
      jugandj
    • The vulnerability isn't published

      @tatiGmail

      They are new. There aren't any in-the-wild attacks, this is a proof of concept attack at a conference. The vulnerability is then disclosed to Microsoft and they fix it. Likely it's not that the flaw was patched in IE9 but rather the changes in the architecture of IE9 means whatever was targeted in IE8 isn't there in IE9.

      I'm sure it will be patched in the upcoming patch Tuesday. If it turns out to be something that does end up in the wild then we'll see it pushed out sooner. And don't forget it only gained user level access, so the system wasn't completely overtaken. It also requires a user to go to a site, which means it's not like someone can take over your PC while it's sitting there.
      LiquidLearner
      • RE: Microsoft: Pwn2Own flaw already fixed in IE9

        @LiquidLearner
        Regarding "user level access", although this is perhaps not as bad as administrator level access:
        1. You can still do a lot of havoc (e.g. Put one of those fake anti-virus programs that tries to trick you into paying money for it - for the current user)
        2. There are plenty of Privilige Escalation vulnerabilities in Windows, which Microsoft plainly won't fix - because it can be fixed/mitigated by the "10 Immutable Laws of Security" (e.g. "Your Priviliges Escallation code will only be run if the user starts your program, so what's the problem?").
        xnederlandx
      • RE: Microsoft: Pwn2Own flaw already fixed in IE9

        @XnederlandX

        I didn't mean to say the flaw was unimportant, just not this huge issue the original poster was making it out to be. I understand that user access is still bad but not as bad as full control of the system. And chaining 4+ vulnerabilities is an awful lot of work.

        It will be fixed but I have no reason to think this should be an out-of-band patch is all.
        LiquidLearner
      • RE: Microsoft: Pwn2Own flaw already fixed in IE9

        @LiquidLearner Chances are you are correct regarding the out-of-cycle patch. I don't forsee this vulnerability becoming a big issue either (since details haven't been made public AFAIK).
        Although I am getting annoyed at Microsoft for constantly downplaying the criticality of their vulnerabilities because it is "just" user level priviliges... (and then not fixing any privilige escalation issues).
        xnederlandx
      • RE: Microsoft: Pwn2Own flaw already fixed in IE9

        @LiquidLearner
        Besides, the IE Hack wasn't a 1 flaw hack, the attackers had to spend six weeks coding together three seperate flaws to make it effective. And because of the rules of Pwn2Own, the flaws won't be released until MS has been given time to fix them.
        brendan9
    • RE: Microsoft: Pwn2Own flaw already fixed in IE9

      @tatiGmail
      For people running IE8 (or previous versions, if they too are affected), and so long as an out-of-cycle patch isn't provided, yes.
      xnederlandx
    • Yep, for 3 more days

      Considering an out of cycle patch would be done around then, or maybe a couple of days later, I don't see how this is so bad.
      Michael Alan Goff
    • RE: Microsoft: Pwn2Own flaw already fixed in IE9

      @tatiGmail

      Microsoft atleast is fixing the issue in the downstream IE versions. Apple hasnt even spoken about the iPhone Safari vulnerability which Chralie Miller used to pwn an iPhone. I bet you are stopping using your iPhone until Apple releases a fix ;)
      DontBeEvil
    • RE: Microsoft: Pwn2Own flaw already fixed in IE9

      @ tatiGmail

      No.

      1. Users of recent versions of Windows can upgrade to IE9 RC now, and indeed could have done before Pwn2own.

      2. The precise vulnerability hasn't been publicly disclosed, and presumably won't be until after the patch has been shipped, so users of old versions of Windows can patch IE8 before black hats get hold of the details.

      I like Pwn2own because it reveals security issues, which can then be patched before black hats discover them. However, vendors who put an unusually large effort into patching holes just ahead of Pwn2own, releasing giant patches just ahead of it, are actually wasting resources. They're duplicating the work of the white hats in the run-up to Pwn2own, in order to gain some cheap publicity.

      A more effective use of resources is to continue as normal (as Microsoft did), and wait to see what the white hats can find. In one case, Microsoft had already patched the hole in IE9 (maybe it was caused by an ordinary bug that was fixed), but in the other two they may now be able to patch two holes they didn't know about. More importantly, resources that might have been wasted finding/patching these holes just before Pwn2own can now be used to find other bugs/holes, producing a browser that's more secure overall.
      WilErz
      • This assumes blackhats don't already know about the exploit.

        @WilErz: [i]2. The precise vulnerability hasn't been publicly disclosed, and presumably won't be until after the patch has been shipped, so users of old versions of Windows can patch IE8 before black hats get hold of the details.[/i]

        I wouldn't hang my hat on that assumption.
        ye
    • RE: Microsoft: Pwn2Own flaw already fixed in IE9

      @tatiGmail use the IE9 RC? It's out now, it addresses the vulnerability...
      mary.branscombe
  • 2 More days :)

    Will be waiting for the RC version of IE 9 in Windows Update. If it starts up just as fast as chrome, then I might just start using it a bit more. Otherwise, it will remain as I currently use it.

    So far, I only use it when other applications, like "Windows Help and Suport", open a link in it instead of my default browser "Google Chrome" :D
    MrElectrifyer
  • RE: Microsoft: Pwn2Own flaw already fixed in IE9

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih