Microsoft fixes Pwn2own Internet Explorer hole

THIS MONTH'S Microsoft Patch Tuesday fixed a vulnerability in Internet Explorer used by hackers to win last month's Pwn2own hacking contest, along with 63 other flaws in Microsoft software.

A patch for the MS11-018 vulnerability was vital, as there were reports of attacks in the wild targeting the flaw in Internet Explorer 6, 7 and 8, which could allow criminals to take over machines. This time Microsoft was fortunate that IE 9 was unaffected, as the flaw had been found during the browser's development.

Microsoft fixed the primary use-after-free vulnerability used to gain code execution, but there remain two other flaws discovered at Pwn2own. However these don't pose a direct threat to users as they are only useful if the original flaw is present.

The patches also fixed a MHTML vulnerability in Windows first disclosed by Google in March, as well as two critical vulnerabilities in the SMB protocol, one in the client and one server side, MS11-019 and MS11-020.

In total Microsoft released 17 security bulletins, fixing a total of 64 vulnerabilities as outlined in last week in its pre-brief. All Windows operating systems and versions of Office are affected.

In support of the fixes, Microsoft also released what could be a crucial security tool. It is called "Office File Validation" and aims to protect against potentially malicious components in Office files.

This type of attack is becoming more common, with Adobe having found that embedded Flash exploits were being hidden in Office files. More details from Microsoft about that particular problem are available here. µ