ZDI outs Microsoft for failing to patch critical IE8 zero-day flaw

• 
  Warwick Ashford

  Security Editor
• Published: 22 May 2014 9:41

A critical security flaw in Microsoft's Internet Explorer 8 has gone unfixed since October 2013, according to a new report by HP's Zero-Day Initiative.

Although IE8 is five years old, it still holds a 20% share of the desktop browser market, according to statistics from Net Applications.

The ZDI rewards security researchers for finding flaws and publishes information on zero-day flaws or unpatched, previously unknown threats if they go unfixed by the software maker for more than 180 days.

The flaw was discovered by Belgian researcher Peter Van Eeckhoutte and allows an attacker to run malicious code in IE8 if a user can be lured to a malicious site designed to exploit the flaw, the ZDI said.

This could be accomplished by sending the victim an email containing a link to such a malicious site and, if successful, the hacker would have the same user rights on the computer as the victim.

The ZDI report on the flaw within the handling of CMarkup objects comes just weeks after Microsoft was forced to issue an emergency patch for a flaw that affected IE 6 to 11.

The patch was released within a week and fixed a vulnerability that could also allow attackers to execute code remotely if the victim visited a compromised or specially crafted malicious website.

Microsoft has not given any reason for the delay in patching this latest vulnerability to be made public, but said it not seen an active exploit of the flaw, according to CNET.

The software company recommended users of IE 8 set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting and configure IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Microsoft also said users of IE8 should install the Enhanced Mitigation Experience Toolkit (EMET), a free Windows-based security tool that adds supplemental security defences.