March 9th, 2012, 21:08 PM
Internet Explorer 9 Falls at Pwn2Own Hacking Contest
First Google Chrome fell, and now Microsoft's Internet Explorer 9 has been exploited.
The Microsoft browser on Thursday was taken down at the CanSecWest Pwn2Own hacking competition by a team of hackers with the French research firm Vupen. The hackers exploited two zero-day vulnerabilities, described as a heap overflow bug and a memory corruption flaw, to crack Internet Explorer 9. The hackers were able to run code outside the browser's Protected Mode sandbox, a security feature meant to contain malicious code and prevent it from executing on a system. In doing so, they were able to take control of a fully-patched Windows 7 machine.
The code execution attack they developed requires no user interaction beyond browsing to a rigged website, ZDNet reported. It works on old versions of the browser, such as IE 6, all the way up to IE version 10, which is currently only available for consumer preview.
"This one was difficult," Vupen co-founder Chaouki Bekrar told ZDNet. "When you have to combine many vulnerabilities and bypass all these protections, it takes a longer time."
Representatives from Microsoft were at the event and said they plan to respond to the flaw once receiving information about it by contest organizers, ZDNet said.
Full story: PC Magazine