Microsoft patches IE with record-setting updates to prep browser for Pwn2Own

IE9, IE10 face hackers in three weeks when $175,000 is up for grabs at annual contest

Microsoft this week patched 14 vulnerabilities in Internet Explorer (IE), preparing the browser for its time as a target early next month at the annual Pwn2Own hacking contest.

On Tuesday, Microsoft patched 57 vulnerabilities, including 14 affecting IE that were delivered in two separate security updates. One of those updates, MS13-009, fixed 13 flaws, a dozen of them judged "critical," the company's most serious threat rating. The second update, MS13-010, patched a single vulnerability. That bug was also pegged critical.

IE9 and IE10 will face Pwn2Own hackers starting March 6 at the CanSecWest security conference in Vancouver, British Columbia. The first researcher to successfully demonstrate an exploit of one or more previously-unknown vulnerabilities in IE9 on Windows 7 will take home a $75,000 cash prize. The first who takes down IE10, Microsoft's newest browser, running on Windows 8, will earn an even $100,000.

Eleven of the 13 vulnerabilities patched in MS13-009 were rated critical for IE9 on Windows 7, while four were tagged the same for IE10 on Windows 8. The one bug in MS13-010 was labeled critical for both browsers.

Microsoft said that all the critical vulnerabilities could be exploited by attackers to hijack a Windows PC. If they had gone unpatched, researchers would have been able to use them at Pwn2Own.

Andrew Storms, director of security operations at nCircle Security, noted the large number of IE vulnerabilities patched this week -- the most in at least six years. "It's a big clearing of the backlog," said Storms.

Another unusual aspect of the IE patches was that they came in more than one update, which Microsoft designates as "bulletins." This was the first month in Storms' memory that Microsoft had issued two IE bulletins simultaneously. Typically, it bundles all patches into one update.

Storms suspected the reason stemmed from Microsoft's internal organization. "I'm guessing the Office team probably created the VML patch," he said, referring to MS13-010, the one-patch update that fixed a flaw in Vector Markup Language (VML).

While MS13-010 patched IE6, IE7, IE8, IE9 and IE10 to fix the VML bug, the image format originated with Microsoft's Office suite, where it remains in wide use. It's supported by IE so that websites and Web apps using the format can be properly rendered. Microsoft has pushed Web developers to use SVG (Scalable Vector Graphics) instead, and has officially made VML obsolete -- although still supported in legacy modes -- in IE10.

If past practice holds, other browser makers will also update their applications before Pwn2Own. Mozilla, for instance, will ship Firefox 19 next Tuesday, Feb. 19. And while Google does not adhere to a regular update schedule for Chrome -- unlike Microsoft and Mozilla -- it will probably patch before the contest as well.

Pwn2Own will award prizes of $100,000 to the first researcher to crack Chrome on Windows 7, and $60,000 to the first to hack Firefox on that same OS.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingMicrosoftsecurityMalware and Vulnerabilities

More about Andrew Corporation (Australia)AppleGoogleMicrosoftMozillanCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place