8 months ago we wrote about HP’s Pwn2Own contest which saw IE11 falling in the content, but the OS itself remaining unbreached, while both iOS and Android were fully “owned”
It seems however that this limited access has given Microsoft enough confidence to leave these browser vulnerabilities, which leaves our cookies exposed and leaves the OS open to privilege escalation hacks, unpatched for more than 6 months. now.
Ars Technica reports that HP’s security division has now publicly released details of the four code-execution vulnerabilities in IE11 Mobile used in the Pwn2Own contest.
Tipping Point has notified Microsoft of the vulnerabilities in November 2014 and January 2015. Microsoft officials acknowledged the bugs, but despite being granted an extension of 2 months (for a total of 6 months) still failed to fix the vulnerabilities prior to the disclosure.
Microsoft commented: “We’re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers.”
The vulnerabilities, that allow attackers to execute code with the same (low) privilege as IE, are still at present confined to the IE sand box, which may explain why Microsoft do not consider then critical. Of course IE11 is also set to be replaced with the Edge browser in the next few months, but it is not clear how long this will take, and also what percentage of the Windows Phone 8.1 installed base will eventually upgrade.
Are our readers concerned by this issue, or do you think Microsoft should concentrate on finishing Windows 10 Mobile and not waste time fixing a bug on what will soon be a legacy OS? Let us know below.