IE8 Ready for First Patch?
Microsoft says it's looking at whether to issue a security patch, but points out that no attacks in the wild have been confirmed so far.
In fact, the potential exploit, according to a posting on Microsoft's Security, Research, and Defense blog, is prevented from working in the final release version of IE8, which Microsoft opened for public download last Thursday.
Researchers uncovered the sophisticated method for breaking into IE last week during the annual CanSecWest security conference in Vancouver, British Columbia. During the conference's PWN2OWN vulnerability-seeking contest, participants succeeded in compromising IE8 and other leading browsers.
However, the company claims that the version of IE8 attacked at CanSecWest was not the same as the final version released to the public.
"While Microsoft can't comment on the specifics of the investigation, they can say that what was demonstrated at CanSecWest will not be successful on the RTW [short for "Release to Web," the finished, publicly available version] build released on March 19, 2009, due to changes that make the [exploit] more difficult to accomplish," Budd continued.
Company officials said the vulnerability had been "responsibly" revealed to Microsoft by TippingPoint, the security firm that organized PWN2OWN -- meaning that the details of the exploit were turned over to Microsoft's engineers for evaluation and repair, if necessary, in a candid and timely manner.
"If the vulnerability is confirmed, [Microsoft engineers] will take action to help protect customers by delivering a security update through the monthly release process, developing an out-of-cycle update or by providing additional guidance to help customers protect themselves," Budd said.
This article was first published on InternetNews.com.