Microsoft Security Bulletin Advance Notification for March 2011

I read the links but can't tell if the MHTML Script Injection vulnerability is scheduled to be patched?

 

All speculation at this point but check what MS is currently calling "Bulletin 2" (see the link in Ron's first post) and compare the MHTML advisory:

http://www.microsoft.com/technet/security/advisory/2501696.mspx

Sure seems to match up with each OS, particularly the part about "Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option" not being affected. Again, just a wild guess.

 

I believe the correct answer is, no MHTML vulnerability patch...
Microsoft won't patch IE before Pwn2Own

 

Does that mean contestants are allowed to use it?

 

Cha-ching!

 

That's odd, one would think they wouldn't be allowed to use exploits discovered by someone else.

 

Oh I agree, and I doubt that that is the case.
Discovered exploits are just that... already discovered.

 

There's nothing explicit in the short rules posted http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011
but I think I remember that known vulnerabilities are excluded. This Miller guy who won 3 times was claimed to have cheated on a particular OS X/Safari vulnerability that involved code that wasn't only known to be vulnerable but already fixed in the upstream open source code.

Anyway, I don't think you'd get far with the mhtml exploit, maybe it could be useful on the Windows Phone but I doubt that is even vulnerable to it. On the Desktop IE side of things remote code execution is a requirement and for that cross site scripting when you already can send the victim to a attacker controlled site doesn't get you any further.

MS is waiting with a fix so it can roll out a single patch sometime later this month fixing whatever other (and more important) security vulns are going to be reported via pwn2own.

 

From the blog...

Thanks for posting the link, Ron.

 

Has anyone received this update -http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ef2ee37e-5562-4150-b3df-371651b83162&pf=true ?

I can't find any info about what "issues" it will resolve. There's no knowledge base article either -http://support.micrososft.com/kb/2505438

 

Thanks!

You did what Microsoft failed to do - to provide a valid link.

Again thanks!