The most-worrisome security flaw revealed by the Pwn2Own contest was the Internet Explorer 8 hack. Dutch researcher Peter Vreugdenhil won $10,000 by circumventing Windows 7′s two best anti-malware controls, Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP).
An independent security expert, Vreugdenhil immediately published a paper, available on his Web site, describing in general terms how he did it. (He states he will not publicly reveal the exact exploits used.) He was able to take over a fully up-to-date Windows 7 system in two steps. First, he managed to evade ASLR and get the memory address of a Windows 7 .dll file. Next, he disabled DEP by using a previously known exploit.
Circumventing DEP is especially troubling: Microsoft relies heavily on DEP to keep out new malware that’s unknown to antivirus applications — so-called zero-day attacks.
A March 30 Microsoft Security Response Center bulletin announced the unscheduled release of an Internet Explorer update. According to the bulletin, this release was not related to the IE 8 vulnerability revealed at CanSecWest (which Microsoft is still investigating) but is a cumulative security patch for all versions of Internet Explorer.
Security Bulletin MS10-018 (980182) is marked critical, addresses 10 Internet Explorer security flaws, and should be installed as soon as possible. For more on this and a large Apple patch release, see contributing editor Susan Bradley’s Patch Watch column in today’s paid content.
Extracted from windowssecrets