HP's Zero Day Initiative (ZDI) publicly disclosed a zero-day flaw in Internet Explorer 8 after 180 days passed and Microsoft chose not to issue a patch. According to the ZDI advisory, the "use after free" flaw could be exploited if an attacker tricked a victim into visiting a tainted website, such as by clicking a link in an email or instant message, or by opening an emailed attachment. Then an attacker could gain the same user rights on the PC as the victim.
This is the second known zero-day aimed at IE since Microsoft stopped supporting Windows XP. Surprisingly Microsoft relented and patched the first critical hole for all supported versions of IE, including IE 8 for XP. Don't expect an emergency patch this time.
Microsoft's "end of life" clearly notes that Internet Explorer 8 is tied to its parent major product. That "parent" is Windows XP. Microsoft warned, "If your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats."
While that might be the reason why Microsoft will not patch this zero-day, the company has known about it since October 2013 when both XP and IE 8 were very much alive and still supported. ZDI shows a timeline going back seven months to when Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte disclosed the vulnerability to Microsoft. However, Microsoft failed to confirm it could reproduce the flaw until February.
"We build and thoroughly test every security fix as quickly as possible," said a Microsoft spokesperson. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations."
Being that this zero-day is surely not so difficult to patch that Microsoft couldn't figure it out for over six months, the company was likely waiting until XP and IE 8 were no longer supported...all the more reason to again push users to get off XP machines.
Currently, Internet Explorer 8 has the largest market share of any IE browser version, and at 20.85% it has the largest share of any web browser at all.
According to W3Schools, actual browser use shows a different story as of April 2014; only 9.4% of any IE version at all is used and 2.4% are using IE 8. If those are accurate worldwide stats, then almost no one likes or uses IE and maybe Microsoft should consider completely dropping Internet Explorer.
Sure, Microsoft claims this zero-day is not actively being exploited...but if you read the company's security bulletins then you know it often patches while claiming a vulnerability is not actively being exploited in the wild.
Both Microsoft and Carnegie Mellon CERT say the solution is as easy as upgrading to IE 11. If users are stuck on a box that can't be upgraded, as in still running XP, then here are a couple of workarounds: Set Internet Explorer 8 security zone settings to "High," so ActiveX Controls and Active Scripting will be blocked. Configure IE 8 to prompt before running Active Scripting. Install and use EMET, the Enhanced Mitigation Experience Toolkit.
Like this? Here's more posts:
- Hacking hotels, shells, cellphones, cars and more mischief coming to Black Hat
- Judge to Microsoft: Hand over cloud data no matter where in the world it is stored
- Yikes, ICS-CERT reminds public utilities about dangers of remote access without firewall
- New NSA Chief expects attacks attempting to damage, destroy critical infrastructure
- Huge demand for NSA-proof email: ProtonMail uses a month's server capacity in 3 days
- Smart toilet spying on health is a hoax, but is there privacy in a public potty?
- No reasonable expectation of privacy when third parties cross the creepy line?
- Over 70% of energy and financial firms say cyberattacks coming within 12 months
- Microsoft shares 2 cybersecurity papers to protect infrastructure and supply chain
Follow me on Twitter @PrivacyFanatic