Video: Microsoft responds to Pwn2Own IE hack

Video: Microsoft responds to Pwn2Own IE hack

Summary: Microsoft Security Response Center (MSRC) director Mike Reavey talks about the CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.


Just moments after researchers from VUPEN used two zero-day vulnerabilities to hack into the Internet Explorer 9 browser, I caught up with Mike Reavey, senior director in the Microsoft Security Response Center (MSRC) to get his response to the attack and some information on what happens next.

[ SEE: Ten little things to secure your online presence ]

  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • How Google set a trap for Pwn2Own exploit team
  • Researchers hack into newest Firefox with zero-day flaw
  • Topics: Security, Browser, Google, Microsoft

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


    Log in or register to join the discussion
    • This is so 30 seconds ago.

      Dietrich T. Schmitz *Your
    • google published an udpate the next day = poor testing

      One point to note here is that google published an udpate the next day, which brings into question their testing process and worrying for any business who uses google software. How did google make sure that nothing breaks because of the update without proper testing??? This is a perfect example that all their software are beta and not suited for business.
      • Microsoft responds to Pwn2Own IE hack

        CanSecWest Pwn2Own challenge that saw a successful exploit of two zero-day vulnerabilities in the Internet Explorer 9 browser.

        Internet Explorer flaws went undetected for a very long time. ???This goes all the way back to IE 6. It will work on IE 6 all the way to IE 10 on Windows 8,??? Bekrar said. (VUPEN co-founder)

        Poor testing?
        • not a logical argument.

          Sotware will always have bugs, rushing out a patch without proper testing is not very assuring for business...
        • The article is not about Google

          You are trying to redirect the article with an off topic comment.
        • Errr......

          More likely a bug that no one noticed. Sh?t happens.

          @daikon: Why is what owllnet said off topic?
        • It they went undetected for a long time

          If they went undetected for a long time, isn't that proof that the vulnerability was not particularly urgent?

          Let's get serious here, it is not possible to do so much testing that you detect every possible flaw...

          Let's imagine an alternative world where everyone does as much 'testing' as you seem to think is necessary before releasing a product...

          'Microsoft announced today that it's new operating system, Windows 1.0 will be released soon 'no more than 5, maybe 10 more years of testing will be needed before this thing is ready' said the MS spokesman 'sure, 30 years of testing might seem excessive to some, but it is necessary to make sure we eliminate every conceivable flaw before we put out a product, that's only responsible'
          Doctor Demento
      • I suggest you read Google's explanation of how that attack succeeded

        It wasn't Chrome itself, but rather the Flash plug-in from Adobe that fell.

        Meanwhile, why aren't I hearing anything about OS X or Safari falling?
      • Ya.

        Google doesn't do much testing if an update is out the day after. Now you know why each update of their browser corrects usually a dozen or so vulnerabilities in the previous version [see NIST newsletters]. This goes on and on like this.
        • Maybe, but...

          Maybe Google knows their software better... Better design, better control, better product!
          Johan Safari
    • Was this posted for a reason?

      Is there a lot of interest in what happens next, or is there a lot of confusion about the vagaries of software development and patching witchcraft?