We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft : We won't update IE before Pwn2Own

Tuesday's patches include first Windows 7 SP1 fix

Microsoft today revealed that it will not update Internet Explorer (IE) before the Pwn2Own hacking contest begins next week.

Instead, Microsoft plans to ship three security updates on Tuesday to patch four vulnerabilities in Windows and its Office Groove 2007 collaboration software, the company announced today.

It wasn't unexpected for Microsoft to pass up a last chance to patch IE before Pwn2Own, the contest that pits security researchers against four browsers, including IE, Apple's Safari, Google's Chrome and Mozilla's Firefox. Pwn2Own will run March 9 to 11 at the CanSecWest security conference.

Because Microsoft has taken to delivering IE updates in even-numbered months, and last patched its browser on February 8 as part of a large 22-fix slate, it would have been uncharacteristic for it to return to IE this month.

"That's something to note," said Josh Abraham, security researcher at Rapid7.

Instead of devoting resources to rushing out an IE update before Pwn2Own, Abraham speculated, Microsoft may be waiting to see what IE exploits hackers reveal at the contest, then put its efforts into patching them as quickly as possible.

Google and Mozilla have already issued updates this week for Chrome and Firefox, respectively, and Apple will probably patch Safari before Pwn2Own kicks off.

Of the security updates - Microsoft calls them 'bulletins' -  that it will deliver next week, two affect Windows, while the third impacts Groove 2007. One of the two Windows updates will be rated 'critical', the top threat level in Microsoft's four-step system, while the remaining pair will be labelled 'important'.

According to the advance notification Microsoft issued for next week's Patch Tuesday, all three updates will quash one or more bugs that can be exploited by attackers to hijack a personal computer or server, then infect those systems with malicious code.

The critical Windows update will also mark the first time Microsoft will ship a patch for Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. The company shipped both service packs only a month ago.

With few clues to go on in the advance notification and no additional information offered by Microsoft on its blogs, Abraham said it was virtually impossible to puzzle out the likely targets of next week's updates.

"They didn't give any details [on the MSRC blog], which they often have," said Abraham. "That's a bit disappointing. Any additional information we can get is helpful."

Abraham added that he expected to see "the same kinds of things that we've seen already, which are drive-by based malware attacks", referring to the kinds of exploits triggered when hackers manage to dupe users into visiting malicious websites.

What's certain is that IT administrators will appreciate the light load after much larger batches in December 2010 and February 2011. "System administrators will enjoy months like this when they get them," said Abraham. "It lets them play a bit of catch-up."

See also: Three-time Pwn2Own winner knocks hacking contest rules


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV expert tips: get US Apple TV content, watch Google Play, use multiple Apple IDs and more