Microsoft has confirmed officially the zero-day vulnerability impacting Internet Explorer 8, the latest iteration of its IE browser. The security flaw was demonstrated on the first day of the Pwn2Own hacking context of the CanSecWest 2009 in Vancouver the past week. A security researcher identified only as Nils managed to own a Sony Vaio running Windows 7 via a vulnerability in IE8. Terri Forslof, the manager of Security Response for TippingPoint, revealed that Microsoft had acknowledged to her the existence of the issue.
“The MSRC (Microsoft Security Response Center) (...) let me know that they had reproduced and validated IE8 vulnerability discovered by the mysterious Nils. Of course, we can't tell you anything more than that - stay tuned for more information once Microsoft releases an update for it! I continue to be impressed by the dedication of the MSRC team - and was shocked to get the news of verification in less than 12 hours- considering the entire IE team was most likely at the MIX 2009 con down in Vegas for the official launch of IE8!” Forslof stated.
Before joining TippingPoint, Forslof in fact worked at Microsoft, as a Security Program Manager for the Microsoft Security Response Center, the very group that investigates vulnerabilities in the company's software and produces patches. Internet Explorer 8 was released to web on March 19, 2009, the second day of MIX09. “For those not keeping score, the confirmation of the IE8 vulnerability on the released bits marks the first official vulnerability in IE8!” Forslof explained.
In addition to IE8, both Firefox and Safari also permitted the systems they were running on top of to be hacked, and also through 0-day vulnerabilities. Two Critical holes affect Safari, while Firefox is vulnerable to a single issue, just as IE8. Google Chrome is the only browser that survived un-hacked. Forslof revealed that “the Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.”
Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).
The latest release of Google Chrome is available for download here.
Firefox 3.1 Beta 3 for Windows is available here.
Firefox 3.1 Beta 3 for Linux is available here.
Firefox 3.1 Beta 3 for Mac OS X is available here.
Microsoft Confirms Critical 0-Day IE8 Vulnerability
Showcased at CanSecWest 2009