Internet Explorer 10 running on Windows 8 is apparently open to at least two exploits that can be used to hijack the OS from its owners. That's the new claim from a French computer security firm who says it found the two zero day flaws in IE10 as part of a hacking conference.
The company, VUPEN Security, posted its claim on its Twitter account today. It said:
We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass #Pwn2own— VUPEN Security (@VUPEN) March 7, 2013
The company found the IE10 security holes as part of its participation in the The Pwn2Own hacking competition, part of the CanSecWest conference in Vancouver. The same security firm also found an exploit in Mozilla's Firefox that allowed the team "to bypass ASLR/DEP on Win7 without the need of any ROP.” In this case, the flaw was opened in part from a new method that will apparently remain in the hands of VUPEN.
VentureBeat reports that another security company, the UK-based MWR Labs, managed to break into Google's Chrome web browser to hijack Windows 7. The firm won $100,000 in the competition from HP’s DVLabs. Both MWR and VUPEN gave the information they gathered from their successful hackiing of those browsers to Microsoft, Google and Mozilla, all of which will likely release patches to close those holes soon.
Source: VUPEN on Twitter