Microsoft patches IE8's Pwn2Own bug in massive update
Part of a record-tying 34-fix Patch Tuesday for Windows, Office, IE and other mission-critical software
Computerworld - Microsoft today patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.
The update was the largest from Microsoft so far this year.
Today's patch for IE8 was the last of those used to hack three browsers -- Mozilla's Firefox and Apple's Safari as well as IE -- at the March challenge. Mozilla patched Firefox April 1, eight days after the contest, while Apple fixed its flaw on April 14, 21 days post-Pwn2Own. This year, both Mozilla and Apple beat the time it took them to patch the vulnerabilities used in 2009's edition of Pwn2Own.
Microsoft essentially matched its patch speed of last year, when it also fixed 2009's Pwn2Own flaw with a June update.
"Actually, that's a pretty quick turn-around," said Aaron Portnoy, security research team lead with HP TippingPoint's Zero Day Initiative (ZDI) bug-bounty program. TippingPoint and ZDI sponsored this year's Pwn2Own, as it did the three years prior.
Researchers put the IE update at the top, or near the top of their to-do lists.
"IE is certainly the most important of the 10 to patch," said Andrew Storms, the director of security operations for nCircle Security, citing the six flaws fixed in the MS10-035 update.
Microsoft rated the IE update as "critical," the highest threat ranking in its four-step scoring system, and said the six fixes within the update addressed two critical bugs, two marked "important" and two more tagged as "moderate."
In late March, Dutch researcher Peter Vreugdenhil, a Pwn2Own newcomer, exploited a vulnerability in IE8 running on Windows 7 with attack code called at the time "technically impressive" by Portnoy. To hack IE8, Vreugdenhil first had to bypass the operating system's primary defenses -- Data Execution Prevention, or DEP, as well as Address Space Layout Randomization (ASLR).
Vreugdenhil used a two-exploit combination to circumvent first ASLR and then DEP to successfully break into IE8 within two minutes.
Josh Abraham, a security researcher with Rapid7, slipped MS10-035 a bit farther down his list. "I think people should be patching the media decompression vulnerability first," he said, referring to MS10-033. "I'd put the IE update directly following that."
Storms also put the spotlight on MS10-033, another of the three critical updates Microsoft issued today. "It's another 'movies-to-malware' kind of vulnerability, with exploits of malicious media files in a classic drive-by attack scenario," said Storms.
MS10-033 contains fixes for two vulnerabilities, both critical, that affect every supported operating system in Microsoft's portfolio, including the newest, Windows 7. Microsoft said that DirectX, the Windows media runtime, the encoder and a COM component all contain bugs.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts