Microsoft Subnet An independent Microsoft community View more

Microsoft knew about 'new' Internet Explorer zero-day for 7 months but won't patch

Zero Day Initiative disclosed details about an IE 8 zero-day hole that Microsoft chose not to patch before ending Windows XP support.

HP's Zero Day Initiative (ZDI) publicly disclosed a zero-day flaw in Internet Explorer 8 after 180 days passed and Microsoft chose not to issue a patch. According to the ZDI advisory, the "use after free" flaw could be exploited if an attacker tricked a victim into visiting a tainted website, such as by clicking a link in an email or instant message, or by opening an emailed attachment. Then an attacker could gain the same user rights on the PC as the victim.

This is the second known zero-day aimed at IE since Microsoft stopped supporting Windows XP. Surprisingly Microsoft relented and patched the first critical hole for all supported versions of IE, including IE 8 for XP. Don't expect an emergency patch this time.

Microsoft's "end of life" clearly notes that Internet Explorer 8 is tied to its parent major product. That "parent" is Windows XP. Microsoft warned, "If your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats."

While that might be the reason why Microsoft will not patch this zero-day, the company has known about it since October 2013 when both XP and IE 8 were very much alive and still supported. ZDI shows a timeline going back seven months to when Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte disclosed the vulnerability to Microsoft. However, Microsoft failed to confirm it could reproduce the flaw until February.

"We build and thoroughly test every security fix as quickly as possible," said a Microsoft spokesperson. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations."

Being that this zero-day is surely not so difficult to patch that Microsoft couldn't figure it out for over six months, the company was likely waiting until XP and IE 8 were no longer supported...all the more reason to again push users to get off XP machines.

Currently, Internet Explorer 8 has the largest market share of any IE browser version, and at 20.85% it has the largest share of any web browser at all.

According to W3Schools, actual browser use shows a different story as of April 2014; only 9.4% of any IE version at all is used and 2.4% are using IE 8. If those are accurate worldwide stats, then almost no one likes or uses IE and maybe Microsoft should consider completely dropping Internet Explorer.

Sure, Microsoft claims this zero-day is not actively being exploited...but if you read the company's security bulletins then you know it often patches while claiming a vulnerability is not actively being exploited in the wild.

Both Microsoft and Carnegie Mellon CERT say the solution is as easy as upgrading to IE 11. If users are stuck on a box that can't be upgraded, as in still running XP, then here are a couple of workarounds: Set Internet Explorer 8 security zone settings to "High," so ActiveX Controls and Active Scripting will be blocked. Configure IE 8 to prompt before running Active Scripting. Install and use EMET, the Enhanced Mitigation Experience Toolkit.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies