latest updates from easySERVICE™
Microsoft has failed to deliver a fix for a remotely exploitable flaw in Internet Explorer 8, despite being informed of the vulnerability in October 2013.
The bug in Microsoft’s browser, discovered by Belgian researcher Peter ‘corelanc0d3r’ Van Eeckhoutte, can be exploited if a user opens a link to a malicious web page (known as a drive-by download) or by opening a booby-trapped email attachment.
Details of the bug were disclosed by HP’s Tipping Point Zero-Day Initiative (ZDI), which offers rewards to researchers for reporting bugs. When flaws are found, ZDI handles disclosure to the vendor and, as per its policy, keeps previously-unknown bugs under wraps for 180 days after informing the vendor, given the vendor enough time to develop a patch.
Despite confirming the vulnerability in February, Microsoft has failed to include a fix for the flaw in any of the three Patch Tuesdays that have passed since then.
IE 8’s 20.85 percent market share makes it the most widely used browser version in the world, according to Net Market Share figures. On Windows machines, IE 8 accounts for 27 percent of all browsers installed.
Released in 2009, it was the newest version of IE to run on Windows XP, the operating system Microsoft recently cut off support for. The browser is also supported on Vista, Windows 7, and Windows Server 2003, 2008 and 2008 R2.
Press has asked Microsoft whether it will be providing a security fix for the bug and will update the story if it receives an answer. However, a Microsoft spokesperson told ZDNet’s sister site CNET that it had not seen the bug being actively exploited.
The latest security flaw affecting Microsoft’s browser follows a serious bug revealed in April that affected all versions of IE, prompting warnings from some governments to use Chrome or Firefox until Microsoft delivered a fix. Microsoft fixed that bug fairly swiftly in May, and provided a patch for XP despite officially no longer supporting the OS.
Source: Associated Press