Microsoft confirmed it is looking into a potentially dangerous security hole in newly shipped Internet Explorer 8, but played down as speculation that the shipping version of IE8 is at serious risk of attack.
In fact, the potential exploit, according to a posting on Microsoft’s Security, Research, and Defense blog, is prevented from working in the final release version of IE8, which Microsoft opened for public download last Thursday.
Researchers uncovered the sophisticated method for breaking into IE last week during the annual CanSecWest security conference in Vancouver, British Columbia. During the conference’s PWN2OWN vulnerability-seeking contest, participants succeeded in compromising IE8 and other leading browsers.
“Microsoft is investigating reports of a possible vulnerability in Internet Explorer 8,” Microsoft’s (NASDAQ: MSFT) Christopher Budd, security response communications lead, told InternetNews.com in an e-mail.
However, the company claims that the version of IE8 attacked at CanSecWest was not the same as the final version released to the public.
“While Microsoft can’t comment on the specifics of the investigation, they can say that what was demonstrated at CanSecWest will not be successful on the RTW [short for “Release to Web,” the finished, publicly available version] build released on March 19, 2009, due to changes that make the … [exploit] more difficult to accomplish,” Budd continued.
Company officials said the vulnerability had been “responsibly” revealed to Microsoft by TippingPoint, the security firm that organized PWN2OWN — meaning that the details of the exploit were turned over to Microsoft’s engineers for evaluation and repair, if necessary, in a candid and timely manner.
“If the vulnerability is confirmed, [Microsoft engineers] will take action to help protect customers by delivering a security update through the monthly release process, developing an out-of-cycle update or by providing additional guidance to help customers protect themselves,” Budd said.