Microsoft patches IE8's Pwn2Own bug in massive update
Part of a record-tying 34-fix Patch Tuesday for Windows, Office, IE and other mission-critical software
Computerworld - Microsoft today patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.
The update was the largest from Microsoft so far this year.
Today's patch for IE8 was the last of those used to hack three browsers -- Mozilla's Firefox and Apple's Safari as well as IE -- at the March challenge. Mozilla patched Firefox April 1, eight days after the contest, while Apple fixed its flaw on April 14, 21 days post-Pwn2Own. This year, both Mozilla and Apple beat the time it took them to patch the vulnerabilities used in 2009's edition of Pwn2Own.
Microsoft essentially matched its patch speed of last year, when it also fixed 2009's Pwn2Own flaw with a June update.
"Actually, that's a pretty quick turn-around," said Aaron Portnoy, security research team lead with HP TippingPoint's Zero Day Initiative (ZDI) bug-bounty program. TippingPoint and ZDI sponsored this year's Pwn2Own, as it did the three years prior.
Researchers put the IE update at the top, or near the top of their to-do lists.
"IE is certainly the most important of the 10 to patch," said Andrew Storms, the director of security operations for nCircle Security, citing the six flaws fixed in the MS10-035 update.
Microsoft rated the IE update as "critical," the highest threat ranking in its four-step scoring system, and said the six fixes within the update addressed two critical bugs, two marked "important" and two more tagged as "moderate."
In late March, Dutch researcher Peter Vreugdenhil, a Pwn2Own newcomer, exploited a vulnerability in IE8 running on Windows 7 with attack code called at the time "technically impressive" by Portnoy. To hack IE8, Vreugdenhil first had to bypass the operating system's primary defenses -- Data Execution Prevention, or DEP, as well as Address Space Layout Randomization (ASLR).
Vreugdenhil used a two-exploit combination to circumvent first ASLR and then DEP to successfully break into IE8 within two minutes.
Josh Abraham, a security researcher with Rapid7, slipped MS10-035 a bit farther down his list. "I think people should be patching the media decompression vulnerability first," he said, referring to MS10-033. "I'd put the IE update directly following that."
Storms also put the spotlight on MS10-033, another of the three critical updates Microsoft issued today. "It's another 'movies-to-malware' kind of vulnerability, with exploits of malicious media files in a classic drive-by attack scenario," said Storms.
MS10-033 contains fixes for two vulnerabilities, both critical, that affect every supported operating system in Microsoft's portfolio, including the newest, Windows 7. Microsoft said that DirectX, the Windows media runtime, the encoder and a COM component all contain bugs.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts