Online PC Support

OPS Technical Solutions : +1 833-522-1003

Welcome

French Security Experts crack Internet Explorer® 9 at a hacking event

If you are of the opinion that the Microsoft browser that you are using on your computer or tablet is absolutely safe then hold on! Here is something that will certainly make you think again. Even, the latest and safest browser from Microsoft i.e. Internet Explorer 9 is not totally hack proof.

In a recent annual hacking event named Pwn2Own, a team of experts from VUPEN Security brought down Internet Explorer 9 by taking advantage of two bugs, an unpatched heap overflow flaw and a memory-corruption vulnerability. They used the two bugs to execute the attack code that allowed them to bypass the Protection Mode security feature embedded in Internet Explorer 9.

“It was difficult because the heap overflow vulnerabilities are not very common,” said Chaouki Bekrar, CEO and chairman of VUPEN Security. “They [the flaws] are rare but they are useful, because you can use the same vulnerability to achieve memory leak and thus bypass ASLR,” he added.

The experts from VUPEN Security showcased their brilliance by hacking Google Chrome on the first day of this annual hacking contest, which was held at the CanSecWest security conference in Vancouver.

Vulnerability In Microsoft Office 2010 Detected

Researchers from VUPEN Security in France report that they have found out vulnerability in the Microsoft Office 2010. But they also said that they have not yet reported the Microsoft officially.

According to the researchers at VUPEN security, it is said that a memory corruption flaw which could help an attacker to execute code has been discovered. The company has created a code execution exploit that works with Office 2010 and bypasses Data Execution Prevention and Office File Validation features.

The bug:

The Chief Executive Officer of Vupen, Chaouki Bekrar told that the bug is caused by a heap corruption error while processing malformed data within an Excel document. Further he added that there are many security features that are enabled in Office 2010 by default which will make exploiting the vulnerability an easy job. But yet they are able to execute the code reliably through a specially crafted Excel document.

Even though the technical details of the bug are not available at present, Vupen says that the government who is one of the customers of Vupen Threat Protection Program has access to the binary analysis of the vulnerability. But it also accepts that it has not yet reported the vulnerability details to Microsoft.

Reply of Microsoft:

Jerry Bryant who is the group manager of response communications at Microsoft replied that Microsoft is already aware of the vulnerability but it does not have the details to validate the vulnerability. According to Bryant Microsoft encourages the disclosure of the vulnerability directly to the vendors. It believes that revealing the vulnerabilities to the vendors help the customers to receive high quality updates before the cyber criminals become aware of the vulnerability and exploit it thereby reducing the risks to the customers.

Bekrar of Vupen states that vupen encourages disclosure of the vulnerabilities. He added that some of the vulnerabilities are disclosed affecting MS Office Word, Excel and Internet Explorer. It is said that the customers are informed of the disclosed vulnerabilities and are advised to allow Vupen to protect national infrastructures from potential attacks.

Bekrar also stated that Vupen is still working on whether the bug affects the older versions of Microsoft and it is a very long and tedious process involving a lot of investment that it didn’t reveal Microsoft about the vulnerability. He added that Vupen is not interested in just obtaining name in disclosing the vulnerability to Microsoft which is really a very big research project for Vupen. But it is said that Vupen will disclose the details of the bug to Microsoft at a later date after the full research is complete.

In reply, Bryant says that the creators of a product are responsible to create updates to protect their customers from probable vulnerabilities.

To conclude, when VUPEN discloses the bug Microsoft will be able to come up with a solution and the users will be soon benefited. It is necessary for the company to come up with the solution as soon as possible because it is hampering the image of Micosoft’s promise for quality product delivery.

Call Now: +1 833-522-1003
Call Now: +1 833-522-1003
Call Now: +1 833-522-1003