Security 10816 Published by

Microsoft's monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago



From Threadpost:
“Microsoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition’s findings,” said Dustin Childs, group manager, Microsoft Trustworthy Computing.

Today’s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. “These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,” Microsoft said in its advisory MS13-028. Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.
  Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates