Microsoft missing patch for IE 8 vulnerability?
Microsoft put out their monthly Patch Tuesday update yesterday, including several updates for Internet Explorer (IE), but none for IE 8. This surprised me. After all, wasn't a flaw found in IE 8 last month at the PWN2OWN hacking contest?
In fact, Safari, IE 8 and Firefox 3 were all hit with a vulnerability at PWN2OWN. Mozilla has already patched Firefox. So what about IE 8?
As it turns out, the release of IE 8 that is now available is not vulnerable after all.
"The build of Internet Explorer 8 used in the Pwn2Own contest was not the RTW build released on March 19, 2009 to customers," Microsoft wrote in an email to me.
Nils (the hacker who cracked IE 8) AT PWN2OWN did not use the final version of IE 8 and apparently there were some fixes in the final build. So technically speaking then, IE 8 (the final release version) to date has not yet been hit with any public vulnerabilities and has not been publicly cracked/hacked either.
With Microsoft pushing IE 8 to its users now via the Automatic Update process, the fact that IE 8 remains secure and un-cracked (publicly) is a great thing. Microsoft though it takes more than its fair share of blame for all IT security problems (can you say Conficker?) is doing the right thing with IE 8, so far at least.
Time will tell, whether I'm wrong and in fact Nils, or someone else can still exploit IE 8. It's likely just a matter of time, but for now at least, new IE 8 users don't need to worry that some known flaw is out there waiting to get them.