Netstat -vat by Sean Michael Kerner (bio )

A command line view of IT

« Open Source Vyatta raises $10 million led by Citrix | Sean Michael Kerner Blog | Jitterbit 3 expands open source data integration »

IE 8 gets fixed for PWN2OWN vuln (again?)

By Sean Michael Kerner on June 9, 2009 4:53 PM

From the 'double checking facts' files:

There was an interesting update as part of today's Microsoft Patch Tuesday, for a vulnerability that I personally had thought was already patched. The vulnerability is one discovered by security researcher Nils at the PWN2OWN event in March.

In the April Patch Tuesday, I was expecting a Microsoft update for the issue but one never came -- at the time Microsoft told me that the version of IE 8 that Nils was using was not the final version of IE8 and wasn't vulnerable.

So what happened between April and June that Microsoft is now patching for an issue that I had thought (based on what Microsoft told me) wasn't an issue?

Here's the official Microsoft response.

"The attack demonstrated at CanSecWest (PWNWOWN) does not work on the IE8 RTW build released on March 19, 2009 due to changes made to ASLR and DEP, which makes the ASLR+DEP .NET bypass demonstrated by Dowd and Sotirov at BlackHat in August 2008 more difficult to accomplish," Christopher Budd, security response communications lead for Microsoft said in an email to InternetNews.com

So IE 8 isn't vulnerable then? Apparently it still is with a particular configuration. ASLR is Address Space Layout Randomization and DEP is Data Execution Prevention.

"With ALSR and DEP turned off, default mitigations are removed and IE8 is in a vulnerable state," Budd said. " Microsoft addressed the underlying vulnerability with Security Bulletin MS09-019."

So there you go, IE 8 'might' have been vulnerable to a zero day, but it would have been tough to execute.

Permalink | Comments (0) | TrackBacks (0) | Share