ZDI outs Microsoft for failing to patch critical IE8 zero-day flaw
A critical flaw in Microsoft's Internet Explorer 8 has gone unfixed since October 2013, says HP's Zero-Day Initiative
A critical security flaw in Microsoft's Internet Explorer 8 has gone unfixed since October 2013, according to a new report by HP's Zero-Day Initiative.
Although IE8 is five years old, it still holds a 20% share of the desktop browser market, according to statistics from Net Applications.
The ZDI rewards security researchers for finding flaws and publishes information on zero-day flaws or unpatched, previously unknown threats if they go unfixed by the software maker for more than 180 days.
The flaw was discovered by Belgian researcher Peter Van Eeckhoutte and allows an attacker to run malicious code in IE8 if a user can be lured to a malicious site designed to exploit the flaw, the ZDI said.
This could be accomplished by sending the victim an email containing a link to such a malicious site and, if successful, the hacker would have the same user rights on the computer as the victim.
The ZDI report on the flaw within the handling of CMarkup objects comes just weeks after Microsoft was forced to issue an emergency patch for a flaw that affected IE 6 to 11.
The patch was released within a week and fixed a vulnerability that could also allow attackers to execute code remotely if the victim visited a compromised or specially crafted malicious website.
Microsoft has not given any reason for the delay in patching this latest vulnerability to be made public, but said it not seen an active exploit of the flaw, according to CNET.
The software company recommended users of IE 8 set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting and configure IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
Microsoft also said users of IE8 should install the Enhanced Mitigation Experience Toolkit (EMET), a free Windows-based security tool that adds supplemental security defences.
Read more on IE vulnerabilities
- Microsoft offers temporary fix for Internet Explorer zero-day
- Locking down Internet Explorer settings with Group Policy in IE 11
- Microsoft patches vulnerabilities in Internet Explorer, Exchange
- Microsoft offers 'fix' for latest Internet Explorer zero day
- Critical RDP, Internet Explorer fixes included in Patch Tuesday update
- Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday
- Microsoft fixes critical issues in Internet Explorer, Windows Kernel
- City University London explores multi-sensory human communication via mobile
- Microsoft issues emergency security update for Internet Explorer
- New zero-day vulnerability targets Internet Explorer users