Internet Explorer 9 is vulnerable to not one but two separate zero-day exploits that have been discovered by the French research team VUPEN as part of the CanSecWest Pwn2Own competition. ZDNet reports that the team found the flaws and used them to hack into a fully patched Windows 7 PC.
The code used to exploit the flaws was activated only by surfing to an infected web site. The team's methods will also work on Internet Explorer 8 and on IE 10 running the newly launched Consumer Preview version of Windows 8. The team that discovered these issues says that the flaws actually go back all the way to IE 6. Two team members worked for six weeks on the project.
The good news? Microsoft representatives were attending the Pwn2Own event. The company plans to work on fixing the issues found by VUPEN once they have received the specific information from the event's organizers.
Interestingly, VUPEN claims that overall, Internet Explorer 10 running on the Consumer Preview is harder to exploit than previous versions of IE due to new mitigations put in by Microsoft.
VUPEN also found issues with Google's Chrome web browser and also created exploits for already patched issues during the event.