Microsoft Fixes Internet Explorer Holes Found by Hackers
UPDATED Wednesday, April 10 with news that Microsoft did not in fact patch the vulnerabilities found in the Pwn2Own competition.
Microsoft will patch several vulnerabilities for Windows tomorrow (April 9), including a critical one for the Internet Explorer Web browser, as part of the software giant's monthly security release, commonly known as Patch Tuesday.
The browser fix is for vulnerabilities in Internet Explorer 10 that were uncovered by competitive researchers at last month's Pwn2Own competition at the CanSecWest Conference in Vancouver, British Columbia.
The vulnerabilities' details were not publicly disclosed in Microsoft's advance security bulletin; however, users have been and will remain at risk until they update their systems.
The patches will specifically solve issues rated "critical," Microsoft's highest warning, that could allow an attacker to remotely execute malicious code on systems running all supported versions of Internet Explorer — IE 6 through 10 for Windows XP through Windows 8, as well as on the tablet-only operating system Windows RT.
In addition to crafting crippling hacks of Internet Explorer last month, the Pwn2Own competitors also took down Mozilla's Firefox and Google's Chrome browsers with zero-day exploits specific to those browsers.
While Microsoft's browser patches were arguably released without too much delay, Mozilla and Google had their browser flaws fixed within a day of their discoveries.
"Even with their new, more aggressive IE patch cadence, [Microsoft's researchers are] still behind other browsers that don't stick to a monthly patch schedule," Andrew Storms, director of security operations at San Francisco security company nCircle, told Kaspersky Lab's Threatpost news blog.
Internet Explorer was hit by a zero-day exploit around the New Year, one that was used to attack human-rights organizations and American diplomats via "watering hole" attacks and which was quickly patched in an "out-of-cycle" Microsoft update that fell outside the normal monthly schedule.
Watering-hole attacks involve targeting specific communities by placing malicious software on websites frequented by members of those communities.
The Java-based infections of Apple Macintosh computers at Apple, Facebook, Microsoft and Twitter in January were the result of a watering-hole attack that targeted mobile-app software developers.
The other Microsoft patches expected to roll out on Tuesday include another critical patch for Windows XP through 7 and seven other bulletins, all rated "important," that affect Microsoft Office, Windows Defender and Microsoft SharePoint Server 2013.
Many Windows users delay or avoid updating their software, but the fact remains that most malware infections occur on computers whose users haven't kept them up to date with security patches.
To make sure your PC receives and installs Microsoft updates, go into Control Panel, select Windows Update and check to make sure the software is set to install updates automatically.
UPDATE: In a surprise, Microsoft did not in fact patch the vulnerabilities found in the Pwn2Own competition.
"We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition's findings," a Microsoft spokesman was quoted by Kaspersky Lab's Threatpost blog as saying.