February 14, 2013, 1:10 PM — Microsoft this week patched 14 vulnerabilities in Internet Explorer (IE), preparing the browser for its time as a target early next month at the annual Pwn2Own hacking contest.
On Tuesday, Microsoft patched 57 vulnerabilities, including 14 affecting IE that were delivered in two separate security updates. One of those updates, MS13-009, fixed 13 flaws, a dozen of them judged "critical," the company's most serious threat rating. The second update, MS13-010, patched a single vulnerability. That bug was also pegged critical.
IE9 and IE10 will face Pwn2Own hackers starting March 6 at the CanSecWest security conference in Vancouver, British Columbia. The first researcher to successfully demonstrate an exploit of one or more previously-unknown vulnerabilities in IE9 on Windows 7 will take home a $75,000 cash prize. The first who takes down IE10, Microsoft's newest browser, running on Windows 8, will earn an even $100,000.
Eleven of the 13 vulnerabilities patched in MS13-009 were rated critical for IE9 on Windows 7, while four were tagged the same for IE10 on Windows 8. The one bug in MS13-010 was labeled critical for both browsers.
Microsoft said that all the critical vulnerabilities could be exploited by attackers to hijack a Windows PC. If they had gone unpatched, researchers would have been able to use them at Pwn2Own.
Andrew Storms, director of security operations at nCircle Security, noted the large number of IE vulnerabilities patched this week -- the most in at least six years. "It's a big clearing of the backlog," said Storms.
Another unusual aspect of the IE patches was that they came in more than one update, which Microsoft designates as "bulletins." This was the first month in Storms' memory that Microsoft had issued two IE bulletins simultaneously. Typically, it bundles all patches into one update.
Storms suspected the reason stemmed from Microsoft's internal organization. "I'm guessing the Office team probably created the VML patch," he said, referring to MS13-010, the one-patch update that fixed a flaw in Vector Markup Language (VML).