ZDI outs Microsoft for failing to patch critical IE8 zero-day flaw

A critical security flaw in Microsoft's Internet Explorer 8 has gone unfixed since October 2013, according to a new report by HP's Zero-Day Initiative.

Download this free guide

3 key web security guidelines from FS-ISAC

We address the ongoing issues regarding web security for businesses relying on an online presence. Download this e-guide and discover how to identify and address overlooked web security vulnerabilities as well as why you should look at the full security development lifecycle to reduce web threats.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Although IE8 is five years old, it still holds a 20% share of the desktop browser market, according to statistics from Net Applications.

The ZDI rewards security researchers for finding flaws and publishes information on zero-day flaws or unpatched, previously unknown threats if they go unfixed by the software maker for more than 180 days.

The flaw was discovered by Belgian researcher Peter Van Eeckhoutte and allows an attacker to run malicious code in IE8 if a user can be lured to a malicious site designed to exploit the flaw, the ZDI said.

This could be accomplished by sending the victim an email containing a link to such a malicious site and, if successful, the hacker would have the same user rights on the computer as the victim.

The ZDI report on the flaw within the handling of CMarkup objects comes just weeks after Microsoft was forced to issue an emergency patch for a flaw that affected IE 6 to 11.

The patch was released within a week and fixed a vulnerability that could also allow attackers to execute code remotely if the victim visited a compromised or specially crafted malicious website.

Microsoft has not given any reason for the delay in patching this latest vulnerability to be made public, but said it not seen an active exploit of the flaw, according to CNET.

The software company recommended users of IE 8 set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting and configure IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Microsoft also said users of IE8 should install the Enhanced Mitigation Experience Toolkit (EMET), a free Windows-based security tool that adds supplemental security defences.