Microsoft Finally Patches IE for Pwn2own 2014 Flaws
Page 1 of 1
According to Tripwire's data for Patch Tuesday, the June IE update has the highest number of identified Common Vulnerabilities and Exposures (CVEs) for IE in a monthly patch since 2009, when Tripwire first started recording patch trend data.
Among the 59 IE security fixes is a patch for a zero-day issue revealed by Hewlett-Packard's Zero Day Initiative (ZDI) in May, as well as fixes for vulnerabilities first privately disclosed at the Pwn2own browsing hacking event in March.
The CVE-2014-01770 vulnerability was first disclosed to Microsoft in November 2013 and was only publicly disclosed by HP in May. HP publicly discloses flaws that have not been fixed by vendors after 120 days.
Microsoft credits CVE-2014-1764 and CVE-2014-2777, both of which are Elevation of Privilege Vulnerabilities, to security firm Vupen working with HP. Vupen is the research outfit that was successfully able to exploit IE during the HP-sponsored Pwn2own event in March.