Posted on Thursday, April 11 2013 @ 11:09 CEST by Thomas De Maesschalck
Bit Tech
noticed that this month's Patch Tuesday update cycle from Microsoft did not fix a critical security vulnerability in Internet Explorer 10 that was discovered at last month's Pwn2Own competition at the CanSecWest security conference. The bug is a nasty one, it enables hackers to take control of a fully-patched Windows 8 system by loading a specially crafted webpage in Internet Explorer 10. It's unknown when Microsoft plans to fix this bug, but unless the company releases an out-of-cycle patch, the second Tuesday of May is the soonest date we could see a fix.
Microsoft's Internet Explorer 10 running on a fully-patched Windows 8 installation was one of the browsers to fall victim to security researchers at the annual Pwn2Own competition, held at the CanSecWest security conference. Using a previously-undetected flaw in IE10, security firm Vupen was able to take control of the system - and, in doing so, found itself $100,000 in prize money richer.
/
As part of the contest rules, Vupen was required to disclose details of the vulnerability to Microsoft without making it public until the company had a chance to patch the flaw - a distinct departure from the company's usual tactic of selling zero-day exploit details for profit. Accordingly, it was expected that this month's Patch Tuesday update release would include a fix for the flaw - something Microsoft desperately needs to do, given the seriousness of the flaw and the fact that its rivals in the browser market have already patched their own Pwn2Own vulnerabilities.
