13 stories

Microsoft patches final Pwn2Own IE bug

Microsoft has patched the last vulnerability in Internet Explorer discovered by a researcher in March of 2011 during the Pwn2Own hacking contest. The researcher, who also won $15,000 for his discovery, exploited a vulnerability in IE so that he could insert malware onto the computer.

“Yes MS11-057 patches the final bug, the protected mode bypass, that I used in my Pwn2Own exploit, the other two being a use-after-free which was patched in MS11-018 and an information leak patched in MS11-050,” Stephen Fewer of Harmony Security stated. Fewer was the guy who discovered this flaw during Pwn2Own.

Microsoft gives credit to Fewer for discovering this flaw, but the company isn’t really classifying it as a security flaw. “Yes, this update addresses a Protected Mode bypass issue, publicly referenced as CVE-2011-1347.”

Fewer was able to utilize three exploits to bypass IE’s sandbox, which is called Protected Mode. Doing so, Fewer was able to insert malware onto the computer.

As far as next year’s Pwn2Own, Fewer adds, “I don’t have any plans as of yet for next year’s competition, but if I have a few new bugs handy closer to the time, who knows?”

The update to this vulnerability is included in August’s Patch Tuesday updates, including MS11-057 for IE, and can be downloaded and installed via the Microsoft Update and Windows Update.

Further reading: ,