As promised, Microsoft issued a number of security updates Tuesday for many of its software products as part of its regular monthly Patch Tuesday event. That included two critical fixes for various versions of Internet Explorer, including IE10 running on Windows 8.
Microsoft said in its full patch notes that the fixes on Tuesday closed Internet Explorer exploits that "could allow remote code execution if a user views a specially crafted webpage using Internet Explorer." Microsoft also added that the fixes were "privately reported".
However, those fixes did not address flaws in IE10 that were discovered over a month ago by the French firm VUPEN Security. The company stated it found two zero-day exploits in IE10 that allowed them to remotely take over a Surface Pro PC during the Pwn2Own Internet hacking competition.
Other flaws in Mozilla's Firefox and Google's Chrome were also discovered by security firms during the same Pwn2Own competition, but both browsers have since been updated to close those exploits. PCWorld.com reports that Andrew Storms, director of security operations for security firm nCircle, stated Microsoft's lack of such a patch for IE10 puts it "quite a bit behind other browsers that already patched their Pwn2Own bugs."
There's no evidence that the exploit VUPEN Security found is currently being used out in the wild. It's possible Microsoft could issue a special IE10 update outside the normal "Patch Tuesday" schedule to fix the problem.
Source: PCWorld.com | Image via Microsoft
27 Comments - Add comment