Patched IE8 flaw used for targeted attacks, says Microsoft

Microsoft says hackers have attacked computers by exploiting a flaw in Internet Explorer 8 disclosed in May 2013 by a Google researcher

Microsoft says hackers have attacked some computers by exploiting a flaw in Internet Explorer 8 that was disclosed in May by a Google researcher.

Google security engineer Tavis Ormandy came under fire for publicising the flaw without telling Microsoft first, but the company was able to issue a patch in its June Patch Tuesday security update.

Microsoft provided few details about the attacks, but said hackers had exploited the flaw to carry out "targeted attacks", according to the Guardian.

Tavis Ormandy has clashed on several occasions with Microsoft, which encourages researchers to disclose flaws responsibly so attackers cannot exploit vulnerabilities before they are fixed.

In June 2010, Ormandy went public with a zero-day vulnerability in Windows XP and Windows Server 2003.

Ormandy published his advisory, including exploit code, just five days after reporting the vulnerability to Microsoft.

At the time, the Microsoft said reporting vulnerabilities directly to suppliers without further disclosure helped ensure customers receive high-quality updates before vulnerabilities are exploited.

However, the fact that the flaw is being exploited after the release of a security update highlights the importance of keeping all software up to date.

Failure to patch software applications exposes computer systems to attackers exploiting known vulnerabilities, research has shown.

Keeping software up to date with security patches can deliver 80% protection from cyber threats, Secunia research analyst Stefen Frie told attendees of Infosec Europe 2012 in London.

The best way for enterprise information security professionals to deal with the onslaught of malware is by applying enterprise software security updates as soon as possible, he said.

Read more on Hackers and cybercrime prevention