Latest Patch Tuesday IE10 updates did not fix zero day exploit

As promised, Microsoft issued a number of security updates Tuesday for many of its software products as part of its regular monthly Patch Tuesday event. That included two critical fixes for various versions of Internet Explorer, including IE10 running on Windows 8.

Microsoft said in its full patch notes that the fixes on Tuesday closed Internet Explorer exploits that "could allow remote code execution if a user views a specially crafted webpage using Internet Explorer." Microsoft also added that the fixes were "privately reported".

However, those fixes did not address flaws in IE10 that were discovered over a month ago by the French firm VUPEN Security. The company stated it found two zero-day exploits in IE10 that allowed them to remotely take over a Surface Pro PC during the Pwn2Own Internet hacking competition.

Other flaws in Mozilla's Firefox and Google's Chrome were also discovered by security firms during the same Pwn2Own competition, but both browsers have since been updated to close those exploits. PCWorld.com reports that Andrew Storms, director of security operations for security firm nCircle, stated Microsoft's lack of such a patch for IE10 puts it "quite a bit behind other browsers that already patched their Pwn2Own bugs."

There's no evidence that the exploit VUPEN Security found is currently being used out in the wild. It's possible Microsoft could issue a special IE10 update outside the normal "Patch Tuesday" schedule to fix the problem.

Source: PCWorld.com | Image via Microsoft

Report a problem with article
Previous Story

Microsoft launches msnNOW sidebar beta for Firefox

Next Story

Microsoft Desktop Optimization Pack (MDOP) 2013 released

27 Comments

Commenting is disabled on this article.

this probably might never be fixed. they drag it untill people get attacked.
Thats why i like chrome, security threat reported by VUPEN was fixed the very next day

The amount of exploits found on Chrome is also 10 times higher.
I'm sure if Microsoft thought this was important, it would've been fixed already. Seems like it isn't. Maybe its Local network only. Cant find any details on it, while the 2013 rules state full disclosure.. or is this just for Chrome?

I've gotten a virus recently, I excluded it to be downloads. I am certain it has been a drive-by. However I use IE10, Firefox/palemoon and Ironware, occasionaly Opera, but not in this time period) all mixed through eachother... 1 of them has an actively abused zero-day. Both Windows Defender and Malware bytes still cant detect it as of this moment, so that kinda sucks

Edited by ShadowMajestic, Apr 10 2013, 11:42pm :

The amount of exploits found on Chrome is higher because Google actively encourage hackers to find exploit, even give rewards for it. That doesn't mean chromes security is weak. IE has a lot more 0 day exploit than chrome but google is fixing those exploits than IE's exploit.
lets say for example IE has 200k unknown exploit and Google has 50k unknown exploit. MS finds 2 exploit every month and Google finds 20(10 times) exploit every
month. does that mean IE security is better? NO!! the problem is some dumb people think that finding more exploit means its security is weak.

Fixing issues that are not in the wild means that they're just publishing them for use on non-patched machines. They're better off knowing how to fix the vulnerabilities found by white hats and wait until they are actually used.

astalvfnw said,
The amount of exploits found on Chrome is higher because Google actively encourage hackers to find exploit, even give rewards for it. That doesn't mean chromes security is weak. IE has a lot more 0 day exploit than chrome but google is fixing those exploits than IE's exploit.
lets say for example IE has 200k unknown exploit and Google has 50k unknown exploit. MS finds 2 exploit every month and Google finds 20(10 times) exploit every
month. does that mean IE security is better? NO!! the problem is some dumb people think that finding more exploit means its security is weak.

no, the amount of flaws discovered in chrome is more important because there are more flaws than in Firefox or IE to begin with. Stop looking for excuses.

the money that google gives to hackers is a ridiculous amount compared to the real value of the flaws on the black market. That's definitely not $800/flaw that would encourage looking for flaws if those flaws were so hard to find.

several hackers who won the pwn2own contest in the past years have expressed concerns about webkit security, saying it has a lot of flaws.

even this year, a guy from vupen said that chrome's weakness is webkit (because of the high number of flaws).
he also said that chrome's sandbox is its strength, which is funny since the sandbox is basically just the proper use of the host OS security features like protected mode, ACLs, jobs, message isolations, ...

when windows XP will no longer be supported, I expect to see a higher number of 0day flaws targeting chrome on XP because the sandbox will no longer offer any protection once some unpatched kernel flaws in XP will be known.

link8506 said,

no, the amount of flaws discovered in chrome is more important because there are more flaws than in Firefox or IE to begin with. Stop looking for excuses.

the money that google gives to hackers is a ridiculous amount compared to the real value of the flaws on the black market. That's definitely not $800/flaw that would encourage looking for flaws if those flaws were so hard to find.

several hackers who won the pwn2own contest in the past years have expressed concerns about webkit security, saying it has a lot of flaws.

even this year, a guy from vupen said that chrome's weakness is webkit (because of the high number of flaws).
he also said that chrome's sandbox is its strength, which is funny since the sandbox is basically just the proper use of the host OS security features like protected mode, ACLs, jobs, message isolations, ...

when windows XP will no longer be supported, I expect to see a higher number of 0day flaws targeting chrome on XP because the sandbox will no longer offer any protection once some unpatched kernel flaws in XP will be known.


then why was chrome not compromised for the first few years in pwn2own. even when chrome was compromised the hacker said that it was hard to break. chrome is not just about webkit, even with webkit weakness chrome shines. dont forget about blink engine. chrome still rules and IE sucks.

link8506 said,

no, the amount of flaws discovered in chrome is more important because there are more flaws than in Firefox or IE to begin with. Stop looking for excuses.

the money that google gives to hackers is a ridiculous amount compared to the real value of the flaws on the black market. That's definitely not $800/flaw that would encourage looking for flaws if those flaws were so hard to find.

several hackers who won the pwn2own contest in the past years have expressed concerns about webkit security, saying it has a lot of flaws.

even this year, a guy from vupen said that chrome's weakness is webkit (because of the high number of flaws).
he also said that chrome's sandbox is its strength, which is funny since the sandbox is basically just the proper use of the host OS security features like protected mode, ACLs, jobs, message isolations, ...

when windows XP will no longer be supported, I expect to see a higher number of 0day flaws targeting chrome on XP because the sandbox will no longer offer any protection once some unpatched kernel flaws in XP will be known.


800 bucks for a zero-day is cheap for black market, you have no idea dude lol. With just 1 or 2 of these zero-days you can make thousands of bucks with ease.

Btw Google only pays for exploits found on Windows 7 (or 8 now?) 64bit with UAC and everything enabled. Its using the lazy way. Mainly cause they cannot create a better sandboxing then what comes with 7/8. So it might not be Google's fault entirely when they break through their sandboxing, but it still is. You can't blame Microsoft for a 3rd party App to have it broken through its sandboxing. As Microsoft's own IE has got not even 1/10th of the zero-days and exploits Chrome continuously has. Yes IE still has them, every browser has them.

And yes I am wondering myself as well when they switch to their own render engine to see if it improves as you're right that often the flaw comes from Webkit and not Chrome per se, I sure hope so as I am a regular Iron user.

wonder why chrome on mac is similarly secure. oh wait mac on mac dont use the sanboxing used in windows. ignorant and stupid people.

astalvfnw said,

then why was chrome not compromised for the first few years in pwn2own. even when chrome was compromised the hacker said that it was hard to break. chrome is not just about webkit, even with webkit weakness chrome shines. dont forget about blink engine. chrome still rules and IE sucks.
You do know that Blink is just Webkit, right? And I'm sorry for you, but Chrome has a lot of security flaws, something IE doesn't have. So open your eyes and take a look at how good IE is.

However, those fixes did not address flaws in IE10 that were discovered over a month ago by the French firm VUPEN Security.

But like they said it isn't being exploited in the wild so it isn't considered a critical fix. Instead they fixed 2 critical issues and another 10 important ones.

-Razorfold said,
But like they said it isn't being exploited in the wild so it isn't considered a critical fix. Instead they fixed 2 critical issues and another 10 important ones.
While clearly true, it's just a matter of time before it is.

I am looking forward to the day that Microsoft auto-updates IE10 in the background similar to the way that Chrome updates itself. That should help to avoid the biggest problems ever really becoming problems because an out-of-band patch can be released without much fanfare.

pickypg said,
While clearly true, it's just a matter of time before it is.

I am looking forward to the day that Microsoft auto-updates IE10 in the background similar to the way that Chrome updates itself. That should help to avoid the biggest problems ever really becoming problems because an out-of-band patch can be released without much fanfare.

http://i.imgur.com/cyzxD3V.png

While indeed the IE Auto Update feature appears to exist as of v10, does anyone know if Microsoft has actually used it yet? I've never seen anything to indicate it's performed an action, but then at this point I don't know if it even makes a visible action, is there for security updates or web standards updates, etc. It sure as heck doesn't auto-update the ActiveX version of Flash.

I tend to be very quick at applying updates through Windows Update though, so that could be a contributing factor as to why I've never seen IE do it yet.

Kaedrin said,
While indeed the IE Auto Update feature appears to exist as of v10, does anyone know if Microsoft has actually used it yet? I've never seen anything to indicate it's performed an action, but then at this point I don't know if it even makes a visible action, is there for security updates or web standards updates, etc. It sure as heck doesn't auto-update the ActiveX version of Flash.

I tend to be very quick at applying updates through Windows Update though, so that could be a contributing factor as to why I've never seen IE do it yet.

I assume that checkbox relates to major version updates. Security updates through WU will always be applied.

pickypg said,
While clearly true, it's just a matter of time before it is.

I am looking forward to the day that Microsoft auto-updates IE10 in the background similar to the way that Chrome updates itself. That should help to avoid the biggest problems ever really becoming problems because an out-of-band patch can be released without much fanfare.

you mean, updating IE without system restart?
that's technically not possible because a lot of software use some IE components to display some part of their UI, or use some http/proxy config APIs (even Chrome does use some IE components to look up for proxies).

a restart is necessary to update these shared components.

the only other way would be to have two separate copies of IE: the web browser (autonomous), and the system components of IE used by 3rd party apps.
but that would bring much more problem than it would solve, because users would not understand why the same components aren't updated at the same time, and what the security implications are.

link8506 said,

you mean, updating IE without system restart?
that's technically not possible because a lot of software use some IE components to display some part of their UI, or use some http/proxy config APIs (even Chrome does use some IE components to look up for proxies).

a restart is necessary to update these shared components.

the only other way would be to have two separate copies of IE: the web browser (autonomous), and the system components of IE used by 3rd party apps.
but that would bring much more problem than it would solve, because users would not understand why the same components aren't updated at the same time, and what the security implications are.

I disagree. Users that would be confused wouldn't know the difference because it's not even on their radar.

I am a huge proponent of separating as much of the browser from the OS. I have no problem with it being distributed with Windows, but it should be just another application.

Ignoring that, I think that Microsoft has gotten good enough with their updates that they can detect component usage. They could flag applications that need to close before being able to complete the update, or signal that a reboot is required for the update if there is no other way. They should get to the point where they are living completely in userland, which makes any vulnerabilities that much less serious.

-Razorfold said,

But like they said it isn't being exploited in the wild so it isn't considered a critical fix. Instead they fixed 2 critical issues and another 10 important ones.

That's the best comment I've seen in a while.
Don't fix a "security" vulnerability (and that too of this caliber) just because hackers don't use it 'yet'. (or so everyone assumes).

Just wait for a security outbreak before fixing it.
*kuddos*

That's the best comment I've seen in a while.
Don't fix a "security" vulnerability (and that too of this caliber) just because hackers don't use it 'yet'. (or so everyone assumes).

Just wait for a security outbreak before fixing it.
*kuddos*


Is that what I said? Oh wait no it isn't. I said it isn't being exploited right now so it ISN'T A CRITICAL FIX. They fixed 12 other bugs, 2 of which were critical. Pretty sure in terms of priority a bug that is being exploited should get fixed before ones that aren't.

Should they all be fixed? Of course they should be but that doesn't mean you stop prioritizing.

Not to mention you're also assuming the caliber of this bug. According to the article anyways it was only privately reported to MS, so for all you know it could require 600 steps from the user for anything to happen. I'm exaggerating here but for the most part MS is pretty dam quick about fixing bugs (they're one of the fastest in the industry), and if something is critical enough they often release a patch within a day or two. They obviously figured there were 12 more important fixes they needed to address before this one.

I'm also going to quote DonC because he brought up another point that you didn't realize:

Fixing issues that are not in the wild means that they're just publishing them for use on non-patched machines. They're better off knowing how to fix the vulnerabilities found by white hats and wait until they are actually used.

Edited by -Razorfold, Apr 11 2013, 7:57am :

pickypg said,
I am a huge proponent of separating as much of the browser from the OS. I have no problem with it being distributed with Windows, but it should be just another application.

Why is that? Next file browser should be an app? Graphics driver should be an app?

Graphics drivers already shifted to user space under NT 6.0 (Vista), which is why you are able to update your video card driver without rebooting now.

Splitting it from the OS should lead to a more secure browser, as well as one that can be developed independently from the OS. Frankly, IE10 should work on Windows XP and Vista, just the same as Chrome 26 works on both. It's because IE is so coupled with the OS that it doesn't; that, and of course because they want people to get Windows 7 / 8. Granted, IE9 uses Direct2D for its hardware acceleration making it as fast as it is, which is unsupported on XP, but I don't believe that there is any reasonable excuse for not supporting Vista with IE10.

At least until this time next year, when XP is officially unsupported, the internet will be held back by people having to officially support IE8, and even IE9. IE10 is a great browser, and IE9 is a very fast, but only pretty good browser. Tethering the browser to the OS has already held everyone to the lowest common denominators.

pickypg said,
Graphics drivers already shifted to user space under NT 6.0 (Vista), which is why you are able to update your video card driver without rebooting now.

Splitting it from the OS should lead to a more secure browser, as well as one that can be developed independently from the OS. Frankly, IE10 should work on Windows XP and Vista, just the same as Chrome 26 works on both. It's because IE is so coupled with the OS that it doesn't; that, and of course because they want people to get Windows 7 / 8. Granted, IE9 uses Direct2D for its hardware acceleration making it as fast as it is, which is unsupported on XP, but I don't believe that there is any reasonable excuse for not supporting Vista with IE10.

At least until this time next year, when XP is officially unsupported, the internet will be held back by people having to officially support IE8, and even IE9. IE10 is a great browser, and IE9 is a very fast, but only pretty good browser. Tethering the browser to the OS has already held everyone to the lowest common denominators.


Probably because IE10 utilizes a lot of security (among others) features from the OS itself? This is why IE10 on windows 7 took so much time. They specifically said they will have to backport (or recode or whatever) a lot of Windows8 features for IE10 on W7.
And you want IE10 on Vista...

Yes, chrome works on both...but does it provide every enhancement on XP? No.

Splitting from OS wont lead to any secure browser. The browser can always be sandboxed even if it is a "part" of the OS. In this day and age, an OS (esp general computers) without browser is worth ****.

And why should it be developed independently? For example, they introduced system wide spell check and autocorrect. IE team should have recreated this for IE only?
The more code is shared, the better the experience will get and less chances of incoherence/bugs etc.

Crimson Rain said,

Probably because IE10 utilizes a lot of security (among others) features from the OS itself? This is why IE10 on windows 7 took so much time. They specifically said they will have to backport (or recode or whatever) a lot of Windows8 features for IE10 on W7.
And you want IE10 on Vista...

And why should it be developed independently? For example, they introduced system wide spell check and autocorrect. IE team should have recreated this for IE only?
The more code is shared, the better the experience will get and less chances of incoherence/bugs etc.

Being developed independently is quite different from being unable to share features. Features like system-wide spell check and autocorrect are great features, but they are in no way specific to the web browser, and that should be put into the OS and not the web browser as a result. Just because an application is, say, installed in Program Files versus your Windows folder does not prevent said application from accessing OS features. Certainly, other applications should not be dependent on a web browser for something like system-wide spell check.

Vista is still a supported OS, and it will be for a couple years, which means that those features likely should be backported. And if they cannot/won't be backported, then those features should simply be abstracted away from the actual release so that Vista can support similar functionality (or not) while still getting the rest of the release. As a developer, I know that it does take more time, but good software development is rarely easy. Also as a developer, I do not look forward to maintaining support for IE9 when IE12+ is eventually released. Similarly, if they pull the same game with IE11, then I do not look forward to being stuck with IE10 because of Windows 7. It's not because IE10 is bad (I think it's quite good), rather it's because of the features that will exist in the future version of IE.

The nice thing about being Microsoft (or Apple) is that they have the ability to make things available to the rest of the OS by actually placing it in the OS, rather than being forced to put it all into the browser.

Crimson Rain said,
Yes, chrome works on both...but does it provide every enhancement on XP? No.

Exactly. And IE should be no different. On the web, it's called gracefully degrading, and it's one of the biggest headaches of development. In the case of your spell checking example, they could simply forgo that feature on XP or Vista, assuming they were unwilling to backport it to the OS.

Crimson Rain said,
Splitting from OS wont lead to any secure browser. The browser can always be sandboxed even if it is a "part" of the OS.

Both IE and Chrome are already sandboxed. The further away that you are from the core OS, the harder it makes it for attackers to use any exploit that they find to escalate into something meaningful. Chrome and IE are both very secure browsers at this point, in large part due to their sandboxes, but Chrome is helped by being "just another" application because it does not get special permission to do anything.

Crimson Rain said,
In this day and age, an OS (esp general computers) without browser is worth ****.
I completely agree. And, more to the point, Microsoft can never remove the browser from their OS completely because some applications depend on it existing so that they can include it as part of their own application. Frankly, I think that they should adjust to a swappable API to allow replacement there as well, which increases competition in that space, as well as helps them tell the EU that they are truly interopable. It would also make it easier for applications to provide an explicit (older) version of IE where necessary without affecting the rest of the system. Heck, it would even increase the simplicity of testing with various versions of IE.

Please MS.

DO NOT ever include some BS auto update crap a** thing in IE. It's obvious that even when NOT doing that, you screw crap up!!