14 DAY TRIAL // According to Microsoft, the soon-to-be-released Internet Explorer 9 is safe from the type of attack used to hack its predecessor, Internet Explorer 8 at the Pwn2Own 2011 hack contest at CanSecWest. A representative of the Microsoft Security Response Team turned to Twitter after what it appears to be an initial investigation of the IE8 hack techniques used at Pwn2Own 2011 to reveal to the world that IE9 is not impacted by the issue which allowed IE8 to be pwned.
But I have to mention from the start that the wording of the Redmond company’s tweets is a tad strange, and it could generate some confusion.
This because the member of the security response team at Microsoft acknowledges only a single exploit and a single vulnerability in Internet Explorer 8.
On March 10, 2010, the software giant notes: “We are on the ground at CanSecWest and our top security researchers are already investigating the IE exploit used in the pwn2own contest.”
And then, the following tweet was posted: “We have confirmed that IE 9 RC is not affected by the vulnerability used in the pwn2own contest. IE 9 officially releases on Monday.”
What’s strange about the notes from Microsoft is the lack of correlation with reports from CanSecWest about the hack performed by security researcher Stephen Fewer.
As I told you yesterday, Fewer used no less than three vulnerabilities in order to own IE8 running on a 64-bit (x64) Windows 7 SP1 RTM machine.
The entire attack was designed to exploit the chain of vulnerabilities, which allowed the researcher to first of all bypass two critical mitigations layers in IE8 and Windows, namely Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Only after he circumvented DEP and ASLR did Fewer needed to deal with IE8’s sandbox, with the browser running with Protect Mode and User Account Control (UAC) enabled.
In this context, I can only assume that Microsoft’s tweet is referring to the fact that IE9 Protect Mode cannot be hacked in the same manner as that of IE8, but I’ll ask Microsoft for confirmation on this.
UPDATE: I heard back from Microsoft. A member of the company’s security response team said that IE9 is not affected by “the core RCE [remote code execution] vuln used” in the IE8 attack.