Pwn2Own: IE8 hacked & Microsoft responds in less than 12hrs

TippingPoint's 3rd annual Pwn2Own contest has already shown significant security breaches on Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer 8, but Google's Chrome was the only browser that made it through the first day of testing this year.

One of the contestants, Nils was able to exploit the latest Internet Explorer 8 which was released just few days back. The blogosphere and news websites picked it up and very soon it became the hot news around. When people were worried about IE8's security, MSRC (Microsoft Security Response Center) had already reproduced and validated the IE8 vulnerability in less than 12 hours.

Microsoft is expected to release a security patch for this vulnerability very soon. It is infact surprising to see that IE team acted so fast even when they were busy at MIX09!

You can visit TippingPoint's blog for more information.

Report a problem with article
Previous Story

'Piracy': Why the Cure's Robert Smith doesn't get it

Next Story

Windows Vista SP2: RTM Escrow build reaches internal testers

43 Comments

Commenting is disabled on this article.

So, with all this praising of MS for it's quick response, where's the patch for this problem? Just stating that they know about the vulnerability doesn't mean they've actually done anything about it.

I never really understood the REAL concept of a vulnerability. But don't get me wrong here, just think how many vulnerability's have IE and other browsers had. Don't they fu***** learn from they mistakes? I know I know, I can't do it better because I don't code, but seriously, Microsoft can hire anyone, why the hell are they always releasing stuff which is vulnerable or not working properly, and not only Microsoft, everyone. This bug is going to get fixed, within a week or two there will be another, but I keep wondering, from where?! The browser is complete ****, and there isn't a lot features either, do they like keep exploiting the same hole and Microsoft is just too stupid to do a permanent fix?

Every product in the market is not completely bug free. And the product vendor will have to support the product and fix the upcoming issues throughout the life cycle of the product. Bugs will be reported even after the product is released. There is nothing wrong in that and usually the pattern to find bugs differ from product to product and person to person.

This doesn't apply to only Microsoft, but to everyone!

The problem with MS is if a part of the team find a bug, then this bug must be evaluate, then analyzed and fixed, while its can take a couple of hours. Sadly the bureaucracy involving it can increase the time over many weeks or even months, a single fix can take a lot of documentation, meeting and such.

The difference in this case is where a order to fix a problem is generate by a VIP, then the problem is fixed ASAP, usually voiding all the bureaucracy.

a vulnerability occurs because of assumptions.

someone wrote a part of the code, document the API.
the next guy who works on another part had to call the 1st code, this 2nd guy had to assume the 1st guy got all the holes covered.

if the 2nd guy had to vet through the 1st guy's code, and the 3rd guy had to vet through the 1st and 2nd guy's code, the product may never materialize.

The biggest cause of software vulnerabilities seems to be Buffer overflows. It's one of the pitfalls of using a language that has as much freedom as C/C++. You just have to pay more attention to input/output buffers.

More like if Microsoft had no competitors full stop, then it wouldn't be as good as a company then what it is today.

Microsoft is expected to release a security patch for this vulnerability very soon. It is infact surprising to see that IE team acted so fast even when they were busy at MIX09!

No it isn't. They're losing serious market share to Firefox for the first time in like a decade - it's no wonder they're scrambling around, try to make sure IE8 is as good as it can be and that they're seen to be proactive with it again.

If Firefox wasn't in the position it was in, and IE still had 90%+ market share, I doubt IE8 would be anything like as good as it is now.

Chicane-UK said,
No it isn't. They're losing serious market share to Firefox for the first time in like a decade - it's no wonder they're scrambling around, try to make sure IE8 is as good as it can be and that they're seen to be proactive with it again.

If Firefox wasn't in the position it was in, and IE still had 90%+ market share, I doubt IE8 would be anything like as good as it is now.


So you assume that just because Microsoft has lost market share, they fix security vulnerabilities? Microsoft has always and will always make security issues number one priority to fix and release. They are constantly releasing security patches and service packs for their software, like every other software vendor.

Their software might not be the greatest thing since sliced bread, but man do those Microsoft engineers know it inside and out.

Nice, I would like to hear more about Apple's response though seeing how poorly Safari did. It just goes to show you that MS's experience has been paying off in the security sector, but also that you can never really have 100% security no matter the software/platform.

the vunralbility will be fixed with snow leapord's release... $130 please ;)

KIDDING but if rolls were reversed, mac fanboys would be shouting how "fixes would be waiting until Microsoft forced you onto 7"

What do you mean with poorly? It was an undiclosed vulnerability the guy knew from last year. IE8 just came out and already got breached.

andrewbares said,
Many people would agree that they love Vista, so don't even start with the debate.


Agreed; if people spent some time looking at the changes that were included in Windows Vista and compare it to what Mac OS X 10.0 when it first came out, Microsoft made some massive changes and still made a pretty good product.

Lets remember that most people compared a brand new piece of software to something that had 6 years to mature over 3 service packs, 2 of them being average and SP2 being the big Windows XP overhaul when it came to security. IMHO people should atleast acknowledge the hardwork that many Microsoft programmers did.


You do not have to be an XP loving person to have issues or believe there are issues with Vista that need to be fixed. Or wish were fixed.

Hardware support when Vista was first released, honestly sucked. Debacle 1.
Software support when Vista was first released, honestly sucked. Debacle 2.
Small business networking to an XP pro file server using usernames and passwords. Sucks ... Debacle 3.
Shortcuts to folders that have no access rights in "show all files and folders" view. Sucks... Debacle 4.
I am sure there are others I can list and so can you if you think of it.
No one likes change. Especially change that has flaws.
Vista is getting much better than what it was when released. I have to admit that. But there are still issues with Vista and the business world will not accept it for this reason in addition to a few others.
From my stand point EVERY os MS has released has had issues. I didnt start using XP till SP2 I saw too many SMALL issues with it. ( Perhaps I was being uncooperative with change here as well )
Reguardless of the reasons one finds for having issues with Vista. Raa may or may not be an XP loving ****. He has a legitmate comment. No need to trash the guy.

themousepad said,
Hardware support when Vista was first released, honestly sucked. Debacle 1.

Not a problem with Vista, therefore NOT a Debacle with Vista. Hardware manufacturers had months to prepare and chose to do nothing till Vista hit RTM. I'm hoping they've learned their lesson this time around.
themousepad said,
Software support when Vista was first released, honestly sucked. Debacle 2.

Only partly Vista's fault. On the one hand, there were manu changes from XP to Vista (most of them needed) that caused problems for AppCompat, on the other hand software developers had months to prepare for Vista's new security model and folder structures and chose not to bother. Therefore not a debacle, rather an unfortunate side effect of necessary architectural changes.
themousepad said,
Small business networking to an XP pro file server using usernames and passwords. Sucks ... Debacle 3.

XP Pro is not a file server, therefore not a debacle.
themousepad said,
Shortcuts to folders that have no access rights in "show all files and folders" view. Sucks... Debacle 4.

Granted, there were a few "issues" here and there, but nothing to earn the title "debacle".. certainly no more than every single other OS Microsoft has released. People have extremely short memories, Vista was no worse than 95, 98, ME, 2000, or XP at release.

Hahaha..man, Google must use a few target words: Internet Explorer 8, IE8..and anytime anyone puts news or anything pertaining to it, put Chrome ad on site right away...lol..look at the ads on the page! Lol.

If they fix the bugs fast, great. Now that IE8 is RTM they can start right up on the next version. Though they'll probably take a little break first.

GP007 said,
If they fix the bugs fast, great. Now that IE8 is RTM they can start right up on the next version. Though they'll probably take a little break first.

I thought they have had enough break during IE6 era........

Raa said,
I thought IE6 was great. IMO it was other browsers that gave it a bad rep :P

you are kidding right? You actually think ie6 is a good browser?

Raa said,
I thought IE6 was great. IMO it was other browsers that gave it a bad rep :P

I would have to agree with you.

cybertimber2008 said,
+1 For Microsoft and IE8! May it change the bad reputation of IE that IE6 gave the world.

or inspired another Tomorrow Never Dies dialogue line :P Delicious or was that splendid?

rajputwarrior said,
you are kidding right? You actually think ie6 is a good browser?


He's being serious, but I see the point he is getting at though. People wouldn't realise how bad IE6 was until other browsers managed to destroy it's reputation.