Internet Explorer 9 flaws found in Pwn2Own event

Internet Explorer 9 is vulnerable to not one but two separate zero-day exploits that have been discovered by the French research team VUPEN as part of the CanSecWest Pwn2Own competition. ZDNet reports that the team found the flaws and used them to hack into a fully patched Windows 7 PC.

The code used to exploit the flaws was activated only by surfing to an infected web site. The team's methods will also work on Internet Explorer 8 and on IE 10 running the newly launched Consumer Preview version of Windows 8. The team that discovered these issues says that the flaws actually go back all the way to IE 6. Two team members worked for six weeks on the project.

The good news? Microsoft representatives were attending the Pwn2Own event. The company plans to work on fixing the issues found by VUPEN once they have received the specific information from the event's organizers.

Interestingly, VUPEN claims that overall, Internet Explorer 10 running on the Consumer Preview is harder to exploit than previous versions of IE due to new mitigations put in by Microsoft.

VUPEN also found issues with Google's Chrome web browser and also created exploits for already patched issues during the event.

Report a problem with article
Previous Story

Microsoft working on touchscreens with one millisecond lag

Next Story

Samsung: Galaxy Note 10.1 is superior to new iPad

36 Comments

Commenting is disabled on this article.

Wonder how serious it is in real life. I had never got like browser security bypassed and computer hacked... Is all these even serious?.......

tanjiajun_34 said,
Wonder how serious it is in real life. I had never got like browser security bypassed and computer hacked... Is all these even serious?.......

Your chance of being targeted as an individual is pretty low, specially if you are not visiting or downloading "suspiciuous" websites\stuff. But when it comes to companies, the military etcit gets really important. Stuxnet\Duqu is really a good example. Also, Botnets which use thousands of computers to DDoS websites or send spam. In most of those cases you won't notice anything significant or know you got hacked. Hackers do everything they can to avoid the user knowing he\she got owned.

tHaCuBe said,
So, Safari is the last browser standing?

the VUPEN team said they have exploits working for safari, and Firefox too.

ian said,

... and less than 24 hours Google has released an update (17.0.963.78) for the browser which fixes the security threat.

And they payed them $10K. When will IE9 be fixed?

UndergroundWire said,

And they payed them $10K. When will IE9 be fixed?


Note that this code is under NDA with the event organisers and MS, so specifics about it won't be released until MS has created and distributed a patch.

ian said,

... and less than 24 hours Google has released an update (17.0.963.78) for the browser which fixes the security threat.

Not the point.. His point is that this makes the news page and Chrome didn't. Both are as bad as each other.

Xerax said,
Not the point.. His point is that this makes the news page and Chrome didn't. Both are as bad as each other.

Except Google had a quicker resolution and paid the person(s) $10K. That is why they hold these things. They want bugs to be found. The end result is, who fixed quicker.

ian said,

... and less than 24 hours Google has released an update (17.0.963.78) for the browser which fixes the security threat.

Except that Chrome has been hacked twice the same day.
Only one of the flaw is fixed (the one from te Pwnium contest)
The other one (from the Pwn2Own contest) is not, as the VUPEN team is not going to release the détails about the sandbox bypass to google.

UndergroundWire said,

And they payed them $10K. When will IE9 be fixed?


There was a security researcher yesterday who found a hole in Chrome and got 60,000$ O:

ian said,

... and less than 24 hours Google has released an update (17.0.963.78) for the browser which fixes the security threat.

You did see that their 'update' was also cracked almost instantly... LOL

(Remember this when you think 'fast updates' are ALWAYS better.)

UndergroundWire said,

Except Google had a quicker resolution and paid the person(s) $10K. That is why they hold these things. They want bugs to be found. The end result is, who fixed quicker.

A quicker fix, that was instantly hacked...

It amazes me that people truly think a 'fast fix' is a good thing.

I would rather have something fixed right, even if I had to compromise and work around the flaw.

(Outside of Pwn2Own where 'fixes' are tested, how many 'fast fixes' actually stop the exploits fully and are left untested and people only 'feel' better that they got a 'fast fix'.?)

Freaking Google apologists, why?

Google is using WebKit, a technology they did NOT design. They are using a sandbox security model that was created by Microsoft for IE7 on Vista, which Microsoft even helped Google by freely giving them the design reference model of the concept and shared IE code with them. Later when Google wanted to add 'plugin' technology to Chrome, Microsoft AGAIN helped with the security broker technologies, that are based on IE's sandbox broker technologies.


Why the idolization of Google, when they didn't create the HTML rendering technology or the engine, have made less improvements and code additions that Apple has with Safari, and took help from Microsoft to create a secure browser technology.

And ironically, Google's CEO and officers trash Microsoft in the news and interviews any chance they get, even saying Microsoft doesn't create technology or innovate.

thenetavenger said,
...
Microsoft did event the personal computer, Apple did. So what's your point? Apple didn't event the tablet, but why are they doing really well? Who cares who invented what? It's who does it better.

Google trashes Microsoft. Boo hoo. Apple trashes Microsoft and Google. Microsoft trashes Google and Apple. Google trashes Apple and Microsoft. That's life. I can trash you. You can trash me, it doesn't mean you are right.

The fact is Microsoft is not innovative in certain fields. Apple is not innovative in certain fields. Google is not innovative in certain fields. I'm not sure how exposed you are to the real world but that is how business are. They love to exaggerate. None of what you are telling me is any surprise to me. I'm only surprised that your crying about one company doing it to Microsoft. That makes you a bit of a fanboy.

If you are too sensitive to that, perhaps you should evaluate how the real world works or not say anything at all.

Personally I'd rather have a fast fix. Because another one is always on the way. Microsoft's model of mostly waiting on the second Tuesday of the month is pretty stupid. If a fix is made, release it. Because it's not like Microsoft will ever stop releasing fixes. Same thing with any major software company.

Xerax said,
Not the point.. His point is that this makes the news page and Chrome didn't. Both are as bad as each other.

Not even close!

IE is MUCH better than Google's BS ANYDAY, and I don't give a flying you know what, about what anyone here says.

UndergroundWire said,
Microsoft did event the personal computer, Apple did. So what's your point?

Hoh, yes, I will just go and 'event' the time machine, brb!1

n_K said,

Hoh, yes, I will just go and 'event' the time machine, brb!1

Microsoft didn't invent the personal computer. Yet it sells more than Macs. You are arguing about Google not inventing Web Kit and sandbox. What's the point? That was my question to his clueless statements. Who cares that Google didn't invent it. It is how it is implemented in the end that lures people into using your product.

P.S. it was around 1 AM and I was intoxicated when I wrote that originally hence the "event".

UndergroundWire said,

Microsoft didn't invent the personal computer. Yet it sells more than Macs. You are arguing about Google not inventing Web Kit and sandbox. What's the point? That was my question to his clueless statements. Who cares that Google didn't invent it. It is how it is implemented in the end that lures people into using your product.

P.S. it was around 1 AM and I was intoxicated when I wrote that originally hence the "event".


I don't really follow if I understand both of your points correctly, what you're arguing is that Microsoft didn't invent the PC as in the general idea of a personal computer, whereas he's saying that Google doesn't actually make Web Kit (tho your point is completely true when referring to the sandboxing feature), thus Microsoft actually did develop Windows, while Google has other people quote/un quote "develop WebKit for them"

Matthew_Thepc said,

I don't really follow if I understand both of your points correctly, what you're arguing is that Microsoft didn't invent the PC as in the general idea of a personal computer, whereas he's saying that Google doesn't actually make Web Kit (tho your point is completely true when referring to the sandboxing feature), thus Microsoft actually did develop Windows, while Google has other people quote/un quote "develop WebKit for them"

You almost got it. I was saying that Microsoft didn't invent the personal computer. They weren't even the first ones out with it. The first real personal computer was the Apple II. Everything before that which was offered to the general public was just kits. You had to buy a monitor keyboard, mouse, power supply and enclosure and assemble it to your motherboard kit. Being first out with something or even being the first to make it doesn't matter so much as who makes it best. Your average consumer is not going to buy or use a product because the company was the one that owns the technology. Look at the iPhone. Most of the parts are by Samsung. Even Retina display is made by LG. The only "real" Apple component in there is the processor/GPU chip. Does that mean I shouldn't buy the iPad or iPhone because Apple is utilizing someone else technology? Of course not.

As far as the whole WebKit is concerned, it is mostly under a GNU Lesser General Public License, while the rest is under a Berkeley Software Distribution license. Both can be used "freely". So what exactly is the big deal of Google using it and why that was even mentioned baffles me. Too many people are not educated in things like license of application and why companies use things like this. It doesn't make them any less of a company. The whole argument mentioned by thenetavenger is pretty much FUD.

Google is not stealing technology. Google is not making something identical to Microsoft at all. They are utilizing different pieces of technology for a model that works. Too pick on something as Google didn't design the technology is pretty immature talk. Sure this kind of talk might be acceptable for kids in high school. Because quite frankly they don't much at all and they don't understand how the real world works.

It is one fanboys interpretation of why they don't use the competitors product.

UndergroundWire said,

You almost got it. I was saying that Microsoft didn't invent the personal computer. They weren't even the first ones out with it. The first real personal computer was the Apple II. Everything before that which was offered to the general public was just kits. You had to buy a monitor keyboard, mouse, power supply and enclosure and assemble it to your motherboard kit. Being first out with something or even being the first to make it doesn't matter so much as who makes it best. Your average consumer is not going to buy or use a product because the company was the one that owns the technology. Look at the iPhone. Most of the parts are by Samsung. Even Retina display is made by LG. The only "real" Apple component in there is the processor/GPU chip. Does that mean I shouldn't buy the iPad or iPhone because Apple is utilizing someone else technology? Of course not.

As far as the whole WebKit is concerned, it is mostly under a GNU Lesser General Public License, while the rest is under a Berkeley Software Distribution license. Both can be used "freely". So what exactly is the big deal of Google using it and why that was even mentioned baffles me. Too many people are not educated in things like license of application and why companies use things like this. It doesn't make them any less of a company. The whole argument mentioned by thenetavenger is pretty much FUD.

Google is not stealing technology. Google is not making something identical to Microsoft at all. They are utilizing different pieces of technology for a model that works. Too pick on something as Google didn't design the technology is pretty immature talk. Sure this kind of talk might be acceptable for kids in high school. Because quite frankly they don't much at all and they don't understand how the real world works.

It is one fanboys interpretation of why they don't use the competitors product.


ah, thanks

UndergroundWire said,

You almost got it. I was saying that Microsoft didn't invent the personal computer. They weren't even the first ones out with it. The first real personal computer was the Apple II. Everything before that which was offered to the general public was just kits. You had to buy a monitor keyboard, mouse, power supply and enclosure and assemble it to your motherboard kit. Being first out with something or even being the first to make it doesn't matter so much as who makes it best. Your average consumer is not going to buy or use a product because the company was the one that owns the technology. Look at the iPhone. Most of the parts are by Samsung. Even Retina display is made by LG. The only "real" Apple component in there is the processor/GPU chip. Does that mean I shouldn't buy the iPad or iPhone because Apple is utilizing someone else technology? Of course not.

As far as the whole WebKit is concerned, it is mostly under a GNU Lesser General Public License, while the rest is under a Berkeley Software Distribution license. Both can be used "freely". So what exactly is the big deal of Google using it and why that was even mentioned baffles me. Too many people are not educated in things like license of application and why companies use things like this. It doesn't make them any less of a company. The whole argument mentioned by thenetavenger is pretty much FUD.

Google is not stealing technology. Google is not making something identical to Microsoft at all. They are utilizing different pieces of technology for a model that works. Too pick on something as Google didn't design the technology is pretty immature talk. Sure this kind of talk might be acceptable for kids in high school. Because quite frankly they don't much at all and they don't understand how the real world works.

It is one fanboys interpretation of why they don't use the competitors product.

MS still does not make personal computers. They only make the software just as they did for Apple before the first Windows machines sprang forth.

pwgarner said,

MS still does not make personal computers. They only make the software just as they did for Apple before the first Windows machines sprang forth.

I hear what you are saying but it's all semantics.

chAos972 said,
Doesn't surprise me that these go all the way back to IE6, prior to all the emphasis on security.

Indeed, with MS' new emphasis on security, it seems that severe exploits are more likely to come from grandfathered code than newer code

Seriously, Google Chrome has been hacked twice (at 2 different contests: Pwn2Own and Pwnium), and the title speaks only about IE9 (which has been exploited only 1 time) ?

http://www.zdnet.com/blog/secu...d-with-sandbox-bypass/10563
http://www.zdnet.com/blog/secu...sandbox-first-to-fall/10588

worst, neowin is wrong when it says:
"The team's methods will also work on Internet Explorer 8 and on IE 10 running the newly launched Consumer Preview version of Windows 8."

http://arstechnica.com/busines...omped-at-hacker-contest.ars

according to the VUPEN team:
"The (new) protected mode is much more secure, much more restrictive," Bekrar said. "IE 10 on Windows 8 will be a big challenge for us to create an exploit for it."

This clearly means that their exploit doesn't work on IE10/win8.
The flaw in IE exist from IE6 to IE10, but they have no working code to exploit it in Win8/IE10.


more info on the new sandbox in IE10/win8:
http://www.julien-manici.com/b...d-protected-mode-windows-8/

link8506 said,
Seriously, Google Chrome has been hacked twice (at 2 different contests: Pwn2Own and Pwnium), and the title speaks only about IE9 (which has been exploited only 1 time) ?

http://www.zdnet.com/blog/secu...d-with-sandbox-bypass/10563
http://www.zdnet.com/blog/secu...sandbox-first-to-fall/10588

worst, neowin is wrong when it says:
"The team's methods will also work on Internet Explorer 8 and on IE 10 running the newly launched Consumer Preview version of Windows 8."

http://arstechnica.com/busines...omped-at-hacker-contest.ars

according to the VUPEN team:
"The (new) protected mode is much more secure, much more restrictive," Bekrar said. "IE 10 on Windows 8 will be a big challenge for us to create an exploit for it."

This clearly means that their exploit doesn't work on IE10/win8.
The flaw in IE exist from IE6 to IE10, but they have no working code to exploit it in Win8/IE10.


more info on the new sandbox in IE10/win8:
http://www.julien-manici.com/b...d-protected-mode-windows-8/

Welcome to Neowin, not only offering unprofessional journalism, but ignorance, and intentional misleading readers, and facts being pesky things that are avoided, or brushed aside in generics so it doesn't have to be explained accurately.

We know the headline was to grab attention, and intentionally created to take a shot at Microsoft since IE has become solid and secure.

IE has done well in security since Windows 7 was released, and has maintained some of the top security scores overall for almost three years. Outside of 'personal beliefs and anecdotal stories about people's cousins having problems, in real Security monitoring and threat reporting circles, IE is the safest browser, and has been for over three years. Which is not subjective or statistical manipulation or using limited metrics. It is just a fact.

________________
My favorite aspect of the Pwn2Own events for the past 3 years, is that Google puts up a bounty for Chrome being breached, and adds in very specific things they consider a flaw, and add to the qualification this little fact..
.
-The only acceptable setup is Chrome running on Windows 7 64bit.

So they don't trust their own OS, or Linux or OS X when it comes to showing how secure Chrome is or having to put their money on the line. Odd uh?

The reasoning is easy if you watch what happens, because outside of this event when there are exploits in Chrome discovered, they fail to be usable or work on Windows 7, as it mitigates the entry point.


This has always been the 'better' untold story, where Chrome is compromised on OS X, Linux, and Android but is safe on Windows 7. Weird uh?

The part that they do not say or explain is that Windows has real-time call and code checking, so that if a application like Chrome is broken, Windows 7 compensates for it on the fly or at least on the next run, and adds the adjustment to the compatibility database.

This not only catches crashes and general bugs it adds virtualization and other compensations to help the 'broken' 3rd party Application continue to work and not crash in the future. The 'side effect' is that is also stops a lot of code flaws that open up software to exploits and entry points, making the application more secure even if the programmers were idiots.

* (This is different from things like ALSR and other security measures in Windows 7, as it is about code quality that the OS compensates for in real-time and operates separate from malware protection and security safeguards.

So yeah Google and Chrome, on Windows 7 it is very secure.. On OS X, Linux, Android, not so much.

IE8,9,10 are still very safe, and people forget that Microsoft invented the sandbox security technologies with brokering that is behind why IE is far more secure than IE6 or IE on XP. Chrome 'adopted' the IE7 sandbox framework from Microsoft, and Microsoft even helped them with it, even though Google doesn't use the NT security model like IE's sandbox does. Chrome added in the broker technology later on, again, using the IE design reference and assistance from Microsoft.

Stupid, silly, Microsoft always helping out companies that are 'far superior' to them. LOL (Well superior in conning people, not in actual knowledge, understanding, or technology.)

thenetavenger said,
IE8,9,10 are still very safe, and people forget that Microsoft invented the sandbox security technologies

Microsoft invented sandbox? Wait, what.

I don't even..

Please, don't ever post anything again. Seriously, for your own reputation you should just stop doing it.

MiukuMac said,

Microsoft invented sandbox? Wait, what.

I don't even..

Please, don't ever post anything again. Seriously, for your own reputation you should just stop doing it.

His reputation isn't being influenced by anything you said, contrary to yours.

MiukuMac said,

Microsoft invented sandbox? Wait, what.

read the context!
He meant that Microsoft invented sandboxed web browsers, which is true.

Before IE7 on vista, no browser was sandboxed.
Then came Chrome, and Safari on OSX a few years later.