bit-tech.net

Microsoft leaves IE10 Pwn2Own vulnerability unpatched

Microsoft leaves IE10 Pwn2Own vulnerability unpatched

The flaw in Internet Explorer 10 exploited by Vupen at the annual Pwn2Own contest remains unpatched, with Microsoft now likely to wait until May to release a fix.

We've just passed the second Tuesday of the month, which means Microsoft has released its regular collection of bug fixes and updates - but in doing so appears to have missed out something rather important: a fix for the Internet Explorer flaw uncovered at the Pwn2Own contest last month.

Microsoft's Internet Explorer 10 running on a fully-patched Windows 8 installation was one of the browsers to fall victim to security researchers at the annual Pwn2Own competition, held at the CanSecWest security conference. Using a previously-undetected flaw in IE10, security firm Vupen was able to take control of the system - and, in doing so, found itself $100,000 in prize money richer.

As part of the contest rules, Vupen was required to disclose details of the vulnerability to Microsoft without making it public until the company had a chance to patch the flaw - a distinct departure from the company's usual tactic of selling zero-day exploit details for profit. Accordingly, it was expected that this month's Patch Tuesday update release would include a fix for the flaw - something Microsoft desperately needs to do, given the seriousness of the flaw and the fact that its rivals in the browser market have already patched their own Pwn2Own vulnerabilities.

Sadly, that isn't the case: while Microsoft has released fixes for a pair of other remote-code execution vulnerabilities in versions of Internet Explorer between 6 and 10 inclusive, it has not yet patched the vulnerability discovered by Vupen in the contest. With Microsoft loath to break with its monthly update cycle - only releasing so-called 'out-of-band' patches in cases of dire emergency - it's likely that IE users will remain vulnerable for another month at least.

While that's not great news, it's at least mitigated by the fact that - as far as anybody is aware - knowledge of the precise mechanisms required to craft an exploit for the vulnerability is not yet public. As a result, the race is now on for attackers to find the same flaw picked up by Vupen in its Pwn2Own entry and begin using it to attack target systems before Microsoft can release a patch for the issue next month.

Other flaws that have been fixed in this month's patch release include a remote code execution vulnerability in the Remote Desktop Client, a denial of service vulnerability in Active Directory, an information disclosure vulnerability in SharePoint, a flaw in the Microsoft HTML Sanitisation Component of Microsoft Office, and numerous privilege escalation vulnerabilities in the Windows kernel. In other words: the lack of a fix for the Pwn2Own IE10 vulnerability should not be used as a reason not to bother installing Microsoft's latest round of fixes.

17 Comments

Discuss in the forums Reply
Corky42 10th April 2013, 10:42 Quote
Wasn't the point of Windows update to keep systems secure and up to date ?
Microsoft seem to be contradicting that by not releasing updates when they are available and instead once per month.
Gareth Halfacree 10th April 2013, 10:49 Quote
Quote:
Originally Posted by Corky42
Microsoft seem to be contradicting that by not releasing updates when they are available and instead once per month.
Fixed-period update cycles are common in enterprise software. Before a fix can be installed in an enterprise environment, it has to be fully tested: imagine if your business relies on BespokeSoftware v13.42, and a Windows Update patch to fix something unrelated made BespokeSoftware v13.42 stop working - or, worse, appear to work fine but silently break things in the background. Nightmare, right?

So, before any patch is installed, it undergoes internal testing. This is why Microsoft provides tools for centralised management of Windows Update updates: you are alerted to new updates, you can download 'em and try them out on a test system or twelve, then when you're *sure* it fixes more than it breaks you can hit the 'go' button and roll it out across your userbase.

With a monthly update cycle, you know to schedule in a bit of time - typically the second week of the month, from the Tuesday release to Friday - for testing the patches. If they were released piecemeal, you'd have to employ someone whose sole job was to watch for the 'New Patch Downloaded' notification, test it, release it, then realise four other patches have been released during the testing period and start again. Sisyphus and the rock, basically.
Corky42 10th April 2013, 11:06 Quote
Yea i get the enterprise thing, but wasn't windows update mainly intended for home users ?
The kind of people that don't know what security is or why they should patch software.

Most enterprise's i know would either disable auto updates or use system update server so like you say they can test the updates when they see fit, be that monthly or twice a years, etc, etc.
RichCreedy 10th April 2013, 11:59 Quote
it's not just enterprise that has been broken by updates before though, it could be any software on any windows computer, that may get broken by an update, released willy nilly.

if they haven't released the fix for it yet, there is probably a very good reason, and they may still be working on it.
Corky42 10th April 2013, 13:13 Quote
Chrome and Firefox manage to release a fix relatively quickly, yet Microsoft with a direct channel to there to role out updates still hasn't over a month later.

Even if as RichCreedy said, that it may have broken something like some previous updates.
There is still no excuse when the problem automatic windows update was introduced (to make sure customers get updates in a timely manner) is now being cause by the same company.
magicpixel 10th April 2013, 14:06 Quote
Quote:
Originally Posted by RichCreedy
it's not just enterprise that has been broken by updates before though, it could be any software on any windows computer, that may get broken by an update, released willy nilly.
I know I'm out of context here but that just reminded me of:
.
..
...
You know we're sitting on four million pounds of fuel, one nuclear weapon and a thing that has 270,000 moving parts built by the lowest bidder. Makes you feel good, doesn't it?
-Rockhound 'Armageddon'
RichCreedy 10th April 2013, 16:18 Quote
@ corky, you are forgetting internet explorer is far more intergrated into windows than firefox or chrome
jrs77 10th April 2013, 16:30 Quote
Quote:
Originally Posted by RichCreedy
@ corky, you are forgetting internet explorer is far more intergrated into windows than firefox or chrome

That's exactly the problem of IE imho. Being so heavily integrated makes the whole system more vulnerable.
BentAnat 10th April 2013, 16:39 Quote
Without details on the exact exploit, isn't it a bit speculative to say the exploit was IE per se and not windows 8?
Gareth Halfacree 10th April 2013, 23:16 Quote
Quote:
Originally Posted by BentAnat
Without details on the exact exploit, isn't it a bit speculative to say the exploit was IE per se and not windows 8?
The Pwn2Own contest this year was to attack machines specifically through the web browser: it's an IE10 bug, not a Windows 8 bug. That much is publicly known.
Corky42 11th April 2013, 00:53 Quote
Not that i know much (anything) about hacking but i know the hacks where via the browsers.
From my understanding they used code that could be run from a malicious web page to leverage a kernel vulnerability in Windows in order to escalate privileges.

http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

so is it a bit of both, or is the first point of attack the part that gets the blame ?
Gradius 11th April 2013, 06:48 Quote
I don't care about IE, I don't use it since v6.
Gradius 11th April 2013, 06:50 Quote
"so is it a bit of both, or is the first point of attack the part that gets the blame ?"

The user of course. He always need to have a REAL firewall if he still use Internet, specially on nowdays.
BentAnat 11th April 2013, 10:59 Quote
Quote:
Originally Posted by Gareth Halfacree
The Pwn2Own contest this year was to attack machines specifically through the web browser: it's an IE10 bug, not a Windows 8 bug. That much is publicly known.

Point I was getting at being that IE10 was the ONLY (according to Bit-Tech and a quick google around) machine running Win8, where all the others ran Win7.
Quote:
Originally Posted by Corky42
Not that i know much (anything) about hacking but i know the hacks where via the browsers.
From my understanding they used code that could be run from a malicious web page to leverage a kernel vulnerability in Windows in order to escalate privileges.

http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

so is it a bit of both, or is the first point of attack the part that gets the blame ?

Exactly. It was a browser exploit, but it could WELL be that the fix needs to be done in windows 8, since it's merely one show-o-fact for a bigger problem.
Corky42 11th April 2013, 11:16 Quote
Quote:
Originally Posted by BentAnat
Exactly. It was a browser exploit, but it could WELL be that the fix needs to be done in windows 8, since it's merely one show-o-fact for a bigger problem.

Then how do you explain Chrome and Firefox releasing patches for the same exploit 2-3 days after it was discovered ?
BentAnat 11th April 2013, 14:34 Quote
Chrome and FF ran on windows 7 - it might not be the exact same vulnerability...

Not trying to argue here, just pointing out that it seems like there might have been something that was overlooked.
Corky42 11th April 2013, 15:37 Quote
Very well spotted :)

I cant find any information about if they managed to do the same with IE9 running on windows 7 as the only thing people seem to report is IE10 hacked on windows 8.

You would think a distinction would be made that only Chrome, Firefox and IE9 was attempted on windows 7.
And the only browser to be tested on Window 8 was IE10.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums