Massive Microsoft Patch Tuesday targets Internet Explorer 8 Pwn2Own bug

Microsoft today patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.

Share

Microsoft today patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.

The update was the largest from Microsoft so far this year.

Today's patch for IE8 was the last of those used to hack three browsers -- Mozilla's Firefox and Apple 's Safari as well as IE -- at the March challenge. Mozilla patched Firefox April 1, eight days after the contest, while Apple fixed its flaw on April 14, 21 days post-Pwn2Own. This year, both Mozilla and Apple beat the time it took them to patch the vulnerabilities used in 2009's edition of Pwn2Own.

Microsoft essentially matched its patch speed of last year, when it also fixed 2009's Pwn2Own flaw with a June update.

"Actually, that's a pretty quick turn-around," said Aaron Portnoy, security research team lead with HP TippingPoint's Zero Day Initiative (ZDI) bug-bounty program. TippingPoint and ZDI sponsored this year's Pwn2Own, as it did the three years prior.

Researchers put the IE update at the top, or near the top of their to-do lists.

"IE is certainly the most important of the 10 to patch," said Andrew Storms, the director of security operations for nCircle Security, citing the six flaws fixed in the MS10-035 update.

Microsoft rated the IE update as "critical," the highest threat ranking in its four-step scoring system, and said the six fixes within the update addressed two critical bugs, two marked "important" and two more tagged as "moderate."

In late March, Dutch researcher Peter Vreugdenhil , a Pwn2Own newcomer, exploited a vulnerability in IE8 running on Windows 7 with attack code called at the time "technically impressive" by Portnoy. To hack IE8, Vreugdenhil first had to bypass the operating system's primary defenses -- Data Execution Prevention, or DEP, as well as Address Space Layout Randomization (ASLR).

Find your next job with computerworld UK jobs