March 27, 2009, 3:25 PM — The final version of Microsoft Corp.'s Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed Friday.
But the exploit used by the computer science student to break the release candidate of IE8 -- and walk away with a Sony laptop and US$5,000 in cash -- won't work on the final version of IE8 as long as it's running in Windows Vista SP1 or Windows 7, said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint.
Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because Nils, the German student who gave only his first name, hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later.
Friday, Forslof put the chatter to rest by confirming that IE8's RTW, or "release to Web" bits, were immune from Nils' hack. "His exploit did, in fact, employ the technique found by Sotirov and Dowd," said Forslof, referring to work by Mark Dowd and Alex Sotirov, two researchers who announced last summer that they were able to bypass two of Vista's biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention).
Microsoft made changes to IE8 between RC1 and the final code that blocked Dowd's and Sotirov's circumvention technique, thereby making Nils' exploit moot -- but only in some situations, said Forslof Friday.
"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly-known techniques."
Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.
Forslof declined to confirm whether the bug also exists in older versions of IE, such as IE7. "We're not going to comment on that," she said, "because we're still confirming the vulnerability on the previous versions ourselves. So we'll let Microsoft handle that [announcement]."
But she suspects that IE7 is vulnerable. "My guess would be yes," she said. "A lot of times, researchers look at the current software, in this case IE7, find a bug, then they test on the beta of the next. If they find it there [in IE8], they wait and see whether it's fixed in the final."
Microsoft has said little about the IE8 vulnerability, although during an online Q&A Wednesday, the browser team noted that Nils' exploit wouldn't work on the RTW edition. "We can say that the attack as demonstrated in Pwn2Own at CanSecWest will not succeed on the RTW build released on March 19 due to changes that can block the ASLR+DEP .NET bypass demonstrated by Dowd and Sotirov," said Kymberlee Price, a program manager for IE8 security.
Mozilla Corp., whose Firefox browser was also hacked by Nils last week, plans to patch that flaw, as well as another that just went public, next week. Microsoft, however, has not spelled out a timetable for an IE fix.
