MS11-018 addresses the IE8 pwn2own vulnerability

Today Microsoft released MS11-018 addressing one of the three vulnerabilities that were used to win the Pwn2Own contest last month at CanSecWest 2011. It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers.

The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability used to gain code execution. A second vulnerability was used to make the exploit more reliable and a third was used to escape IE’s protected mode.

Why IE9 was not affected?

During the development of IE9 several security features were built in to catch as many security issues as possible early in the process. This one was found by fuzzing and was fixed by the IE team about 10 months ago. Also, another vulnerability that was used as an information leak during the contest was also found and fixed during IE9 development.

Why did it take so few weeks to fix this vulnerability?

Normally, all security fixes go through an extensive phase of regression testing. This particular fix did too but since the issue had been previously tested on IE9, we were able to move forward faster with the fix.

When is Microsoft fixing the other two vulnerabilities?

First, it’s important to explain the other two issues:

  • The first one is a “heap address leak”. Using this leak, it was not needed to heap spray large chunks of memory. Please note there is no leak of the contents of the heap such as vtable pointers, just an address of the heap.
  • The second one is an IE protected mode bypass.

Both are currently being evaluated and will be fixed in an upcoming release cycle but, without MS11-018 (the vulnerability we are fixing this month) the other two vulnerabilities do not pose a direct threat to customers.

Fermin J. Serna, MSRC Engineering