News Microsoft leaves IE10 Pwn2Own vulnerability unpatched

Wasn't the point of Windows update to keep systems secure and up to date ?
Microsoft seem to be contradicting that by not releasing updates when they are available and instead once per month.

 

Yea i get the enterprise thing, but wasn't windows update mainly intended for home users ?
The kind of people that don't know what security is or why they should patch software.

Most enterprise's i know would either disable auto updates or use system update server so like you say they can test the updates when they see fit, be that monthly or twice a years, etc, etc.

 

it's not just enterprise that has been broken by updates before though, it could be any software on any windows computer, that may get broken by an update, released willy nilly.

if they haven't released the fix for it yet, there is probably a very good reason, and they may still be working on it.

 

Chrome and Firefox manage to release a fix relatively quickly, yet Microsoft with a direct channel to there to role out updates still hasn't over a month later.

Even if as RichCreedy said, that it may have broken something like some previous updates.
There is still no excuse when the problem automatic windows update was introduced (to make sure customers get updates in a timely manner) is now being cause by the same company.

 

I know I'm out of context here but that just reminded me of:
.
..
...
You know we're sitting on four million pounds of fuel, one nuclear weapon and a thing that has 270,000 moving parts built by the lowest bidder. Makes you feel good, doesn't it?
-Rockhound 'Armageddon'

 

@ corky, you are forgetting internet explorer is far more intergrated into windows than firefox or chrome

 

That's exactly the problem of IE imho. Being so heavily integrated makes the whole system more vulnerable.

 

Without details on the exact exploit, isn't it a bit speculative to say the exploit was IE per se and not windows 8?

 

Not that i know much (anything) about hacking but i know the hacks where via the browsers.
From my understanding they used code that could be run from a malicious web page to leverage a kernel vulnerability in Windows in order to escalate privileges.

http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

so is it a bit of both, or is the first point of attack the part that gets the blame ?

 

I don't care about IE, I don't use it since v6.

 

"so is it a bit of both, or is the first point of attack the part that gets the blame ?"

The user of course. He always need to have a REAL firewall if he still use Internet, specially on nowdays.

 

Point I was getting at being that IE10 was the ONLY (according to Bit-Tech and a quick google around) machine running Win8, where all the others ran Win7.

Exactly. It was a browser exploit, but it could WELL be that the fix needs to be done in windows 8, since it's merely one show-o-fact for a bigger problem.

 

Then how do you explain Chrome and Firefox releasing patches for the same exploit 2-3 days after it was discovered ?

 

Chrome and FF ran on windows 7 - it might not be the exact same vulnerability...

Not trying to argue here, just pointing out that it seems like there might have been something that was overlooked.

 

Very well spotted

I cant find any information about if they managed to do the same with IE9 running on windows 7 as the only thing people seem to report is IE10 hacked on windows 8.

You would think a distinction would be made that only Chrome, Firefox and IE9 was attempted on windows 7.
And the only browser to be tested on Window 8 was IE10.