Microsoft won't patch IE before Pwn2Own

Will address four vulnerabilities in next week's Patch Tuesday, including first fix for Windows 7 SP1

Microsoft today revealed that it will not update Internet Explorer (IE) before the Pwn2Own hacking contest begins next week.

Instead, Microsoft plans to ship three security updates on Tuesday to patch four vulnerabilities in Windows and its Office Groove 2007 collaboration software, the company announced today.

It wasn't unexpected that Microsoft passed up a last chance to patch IE before Pwn2Own, the contest that pits security researchers against four browsers, including IE, Apple's Safari, Google's Chrome and Mozilla's Firefox. Pwn2Own will run March 9-11 in Vancouver, British Columbia, at the CanSecWest security conference.

Because Microsoft has taken to delivering IE updates in even-numbered months, and last patched its browser on Feb. 8 as part of a large 22-fix slate, it would have been uncharacteristic for it to return to IE this month.

"That's something to note," said Josh Abraham, security researcher at Rapid7.

Instead of devoting resources to rushing out an IE update before Pwn2Own, Abraham speculated, Microsoft may be waiting to see what IE exploits hackers reveal at the contest, then put its efforts into patching them as quickly as possible.

Google and Mozilla have already issued updates this week for Chrome and Firefox, respectively, and Apple will probably patch Safari before Pwn2Own kicks off.

Of the security updates -- Microsoft calls them "bulletins" -- that it will deliver next week, two affect Windows, while the third impacts Groove 2007. One of the two Windows updates will be rated "critical," the top threat level in Microsoft's four-step system, while the remaining pair will be labeled "important."

According to the advance notification Microsoft issued today for next week's Patch Tuesday, all three updates will quash one or more bugs that can be exploited by attackers to hijack a personal computer or server, then infect those systems with malicious code.

The critical Windows update will also mark the first time Microsoft will ship a patch for Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. The company shipped both service packs only a month ago.

With few clues to go on in the advance notification and no additional information offered by Microsoft on its blogs, Abraham said it was virtually impossible to puzzle out the likely targets of next week's updates.

"They didn't give any details [on the MSRC blog], which they often have," said Abraham. "That's a bit disappointing. Any additional information we can get is helpful."

Abraham's best bet?

"We'll probably see the same kinds of things that we've seen already, which are drive-by based malware attacks," he said, referring to the kinds of exploits triggered when hackers manage to dupe users into visiting malicious Web sites.

What's certain is that IT administrators will appreciate the light load after much larger batches in December 2010 and February 2011. "System administrators will enjoy months like this when they get them," said Abraham. "It lets them play a bit of catch-up."

Microsoft will release its three updates at approximately 1 p.m. ET on March 8.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon