Microsoft patches IE8's Pwn2Own bug

Microsoft patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.

The update was the largest from Microsoft so far this year.

Today's patch for IE8 was the last of those used to hack three browsers – Mozilla's Firefox and Apple's Safari as well as IE – at the March challenge. Mozilla patched Firefox April 1, eight days after the contest, while Apple fixed its flaw on April 14, 21 days post-Pwn2Own. This year, both Mozilla and Apple beat the time it took them to patch the vulnerabilities used in 2009's edition of Pwn2Own.

Microsoft essentially matched its patch speed of last year, when it also fixed 2009's Pwn2Own flaw with a June update.

"Actually, that's a pretty quick turn-around," said Aaron Portnoy, security research team lead with HP TippingPoint's Zero Day Initiative (ZDI) bug-bounty program. TippingPoint and ZDI sponsored this year's Pwn2Own, as it did the three years prior.

Researchers put the IE update at the top, or near the top of their to-do lists.

"IE is certainly the most important of the 10 to patch," said Andrew Storms, the director of security operations for nCircle Security, citing the six flaws fixed in the MS10-035 update.

Microsoft rated the IE update as "critical," the highest threat ranking in its four-step scoring system, and said the six fixes within the update addressed two critical bugs, two marked "important" and two more tagged as "moderate."

In late March, Dutch researcher Peter Vreugdenhil, a Pwn2Own newcomer, exploited a vulnerability in IE8 running on Windows 7 with attack code called at the time "technically impressive" by Portnoy. To hack IE8, Vreugdenhil first had to bypass the operating system's primary defenses – Data Execution Prevention, or DEP, as well as Address Space Layout Randomization (ASLR).

Vreugdenhil used a two-exploit combination to circumvent first ASLR and then DEP to successfully break into IE8 within two minutes.

Josh Abraham, a security researcher with Rapid7, slipped MS10-035 a bit farther down his list. "I think people should be patching the media decompression vulnerability first," he said, referring to MS10-033. "I'd put the IE update directly following that."

Storms also put the spotlight on MS10-033, another of the three critical updates Microsoft issued today. "It's another 'movies-to-malware' kind of vulnerability, with exploits of malicious media files in a classic drive-by attack scenario," said Storms.

Full story:<a href='http://www.computerworld.com/s/article/9177824/Microsoft_patches_IE8_s_Pwn2Own_bug_in_massive_update'>Patch

korg