Microsoft has detailed the security fixes that will form its monthly Patch Tuesday update next week - this time to include a fix for the vulnerability in Internet Explorer exploited as part of the Pwn2Own competition back in March.
An integral part of the annual CanSecWest security conference in Vancouver, Pwn2Own sees security researchers pitting their minds against fully-patched computers running popular operating system and browser combinations. If they can gain access to the system using a previously unknown vulnerability, they win themselves the hardware - and, more lucratively, up to $100,000 in prize money.
The 2013 Pwn2Own contest concentrated on exploiting target systems through the web browser - an increasingly common attack vector for crackers, vxers and other electronic ne'er-do-wells. Vulnerabilities were found in Google's Chrome, Mozilla's Firefox, Oracle's Java and Microsoft's Internet Explorer in the first two days of competition - and patches for the flaws, privately disclosed to the software vendors in question as part of the contest rules, quickly followed in the days after the contest.
Well, patches for most
of the flaws followed. Sadly, Microsoft - for reasons it did not make public - opted to leave the vulnerability unpatched
, allowing its April Patch Tuesday to pass without a fix for the flaw. While the vulnerability, discovered by security firm Vupen, was not made public as part of the competition, vague clues as to its method of operation could not help but leak out - meaning crackers were given a window of opportunity to discover the flaw themselves and exploit it for ill.
While Microsoft has wavered from its monthly update cycle in the past for high-risk vulnerabilities, it has steadfastly refused to do so for this latest bug - leaving users running its Internet Explorer 10 browser vulnerable to attack. Thankfully, that window of vulnerability is now closing with the news that Microsoft is to finally release a patch for the flaw next week.
In addition to fixing the Pwn2Own vulnerability, Microsoft's latest batch of updates - released, as usual, on the second Tuesday of the month - will include additional security holes in Internet Explorer, a potential spoofing vulnerability in the .NET Framework, a denial of service (DoS) vulnerability in Windows itself, a remote code execution bug in Lync, information disclosure issues in Office and Windows Essentials, more remote code execution flaws in Office, and a privilege escalation vulnerability in Windows which allows attackers to bump up their access rights.
As usual, the updates are a recommended install for anyone connecting Windows systems to the internet - although given the problems caused by an update in the company's last Patch Tuesday batch
, it's probably a good idea to back up your system before installation.