1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Microsoft leaves IE10 Pwn2Own vulnerability unpatched

Discussion in 'Article Discussion' started by Gareth Halfacree, 10 Apr 2013.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,381
    Likes Received:
    7,215
  2. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Wasn't the point of Windows update to keep systems secure and up to date ?
    Microsoft seem to be contradicting that by not releasing updates when they are available and instead once per month.
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,381
    Likes Received:
    7,215
    Fixed-period update cycles are common in enterprise software. Before a fix can be installed in an enterprise environment, it has to be fully tested: imagine if your business relies on BespokeSoftware v13.42, and a Windows Update patch to fix something unrelated made BespokeSoftware v13.42 stop working - or, worse, appear to work fine but silently break things in the background. Nightmare, right?

    So, before any patch is installed, it undergoes internal testing. This is why Microsoft provides tools for centralised management of Windows Update updates: you are alerted to new updates, you can download 'em and try them out on a test system or twelve, then when you're *sure* it fixes more than it breaks you can hit the 'go' button and roll it out across your userbase.

    With a monthly update cycle, you know to schedule in a bit of time - typically the second week of the month, from the Tuesday release to Friday - for testing the patches. If they were released piecemeal, you'd have to employ someone whose sole job was to watch for the 'New Patch Downloaded' notification, test it, release it, then realise four other patches have been released during the testing period and start again. Sisyphus and the rock, basically.
     
  4. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Yea i get the enterprise thing, but wasn't windows update mainly intended for home users ?
    The kind of people that don't know what security is or why they should patch software.

    Most enterprise's i know would either disable auto updates or use system update server so like you say they can test the updates when they see fit, be that monthly or twice a years, etc, etc.
     
  5. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,698
    Likes Received:
    172
    it's not just enterprise that has been broken by updates before though, it could be any software on any windows computer, that may get broken by an update, released willy nilly.

    if they haven't released the fix for it yet, there is probably a very good reason, and they may still be working on it.
     
  6. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Chrome and Firefox manage to release a fix relatively quickly, yet Microsoft with a direct channel to there to role out updates still hasn't over a month later.

    Even if as RichCreedy said, that it may have broken something like some previous updates.
    There is still no excuse when the problem automatic windows update was introduced (to make sure customers get updates in a timely manner) is now being cause by the same company.
     
  7. magicpixel

    magicpixel What's a Dremel?

    Joined:
    11 May 2004
    Posts:
    93
    Likes Received:
    0
    I know I'm out of context here but that just reminded me of:
    .
    ..
    ...
    You know we're sitting on four million pounds of fuel, one nuclear weapon and a thing that has 270,000 moving parts built by the lowest bidder. Makes you feel good, doesn't it?
    -Rockhound 'Armageddon'
     
  8. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,698
    Likes Received:
    172
    @ corky, you are forgetting internet explorer is far more intergrated into windows than firefox or chrome
     
  9. jrs77

    jrs77 Modder

    Joined:
    17 Feb 2006
    Posts:
    3,483
    Likes Received:
    103
    That's exactly the problem of IE imho. Being so heavily integrated makes the whole system more vulnerable.
     
  10. BentAnat

    BentAnat Software Dev

    Joined:
    26 Jun 2008
    Posts:
    7,230
    Likes Received:
    219
    Without details on the exact exploit, isn't it a bit speculative to say the exploit was IE per se and not windows 8?
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,381
    Likes Received:
    7,215
    The Pwn2Own contest this year was to attack machines specifically through the web browser: it's an IE10 bug, not a Windows 8 bug. That much is publicly known.
     
  12. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Not that i know much (anything) about hacking but i know the hacks where via the browsers.
    From my understanding they used code that could be run from a malicious web page to leverage a kernel vulnerability in Windows in order to escalate privileges.

    http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

    so is it a bit of both, or is the first point of attack the part that gets the blame ?
     
  13. Gradius

    Gradius IT Consultant

    Joined:
    3 Feb 2009
    Posts:
    288
    Likes Received:
    1
    I don't care about IE, I don't use it since v6.
     
  14. Gradius

    Gradius IT Consultant

    Joined:
    3 Feb 2009
    Posts:
    288
    Likes Received:
    1
    "so is it a bit of both, or is the first point of attack the part that gets the blame ?"

    The user of course. He always need to have a REAL firewall if he still use Internet, specially on nowdays.
     
  15. BentAnat

    BentAnat Software Dev

    Joined:
    26 Jun 2008
    Posts:
    7,230
    Likes Received:
    219
    Point I was getting at being that IE10 was the ONLY (according to Bit-Tech and a quick google around) machine running Win8, where all the others ran Win7.

    Exactly. It was a browser exploit, but it could WELL be that the fix needs to be done in windows 8, since it's merely one show-o-fact for a bigger problem.
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Then how do you explain Chrome and Firefox releasing patches for the same exploit 2-3 days after it was discovered ?
     
  17. BentAnat

    BentAnat Software Dev

    Joined:
    26 Jun 2008
    Posts:
    7,230
    Likes Received:
    219
    Chrome and FF ran on windows 7 - it might not be the exact same vulnerability...

    Not trying to argue here, just pointing out that it seems like there might have been something that was overlooked.
     
  18. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Very well spotted :)

    I cant find any information about if they managed to do the same with IE9 running on windows 7 as the only thing people seem to report is IE10 hacked on windows 8.

    You would think a distinction would be made that only Chrome, Firefox and IE9 was attempted on windows 7.
    And the only browser to be tested on Window 8 was IE10.
     

Share This Page