The flaw in Internet Explorer 10 exploited by Vupen at the annual Pwn2Own contest remains unpatched, with Microsoft now likely to wait until May to release a fix.
We've just passed the second Tuesday of the month, which means Microsoft has released its regular collection of bug fixes and updates - but in doing so appears to have missed out something rather important: a fix for the Internet Explorer flaw uncovered at the Pwn2Own contest last month.
Microsoft's Internet Explorer 10 running on a fully-patched Windows 8 installation was one of the browsers to fall victim to security researchers
at the annual Pwn2Own competition, held at the CanSecWest security conference. Using a previously-undetected flaw in IE10, security firm Vupen was able to take control of the system - and, in doing so, found itself $100,000 in prize money richer.
As part of the contest rules, Vupen was required to disclose details of the vulnerability to Microsoft without making it public until the company had a chance to patch the flaw - a distinct departure from the company's usual tactic of selling zero-day exploit details for profit
. Accordingly, it was expected that this month's Patch Tuesday update release would include a fix for the flaw - something Microsoft desperately needs to do, given the seriousness of the flaw and the fact that its rivals in the browser market have already patched their own Pwn2Own vulnerabilities.
Sadly, that isn't the case: while Microsoft has released fixes for a pair of other remote-code execution vulnerabilities in versions of Internet Explorer between 6 and 10 inclusive, it has not yet patched the vulnerability discovered by Vupen in the contest. With Microsoft loath to break with its monthly update cycle - only releasing so-called 'out-of-band' patches in cases of dire emergency - it's likely that IE users will remain vulnerable for another month at least.
While that's not great news, it's at least mitigated by the fact that - as far as anybody is aware - knowledge of the precise mechanisms required to craft an exploit for the vulnerability is not yet public. As a result, the race is now on for attackers to find the same flaw picked up by Vupen in its Pwn2Own entry and begin using it to attack target systems before Microsoft can release a patch for the issue next month.
Other flaws that have been fixed in this month's patch release include a remote code execution vulnerability in the Remote Desktop Client, a denial of service vulnerability in Active Directory, an information disclosure vulnerability in SharePoint, a flaw in the Microsoft HTML Sanitisation Component of Microsoft Office, and numerous privilege escalation vulnerabilities in the Windows kernel. In other words: the lack of a fix for the Pwn2Own IE10 vulnerability should not be used as a reason not to bother installing Microsoft's latest round of fixes.