Internet Explorer Zero-Day Flaw Discovered in 2013 Remains Unpatched By Microsoft


Recommended Posts

This is the second time in a one-month period that a vulnerability in Microsoft?s Internet Explorer has been exposed.The first one was announced in April, with Microsoft being quick to admit the problem. The company even shared emergency measures that users can take while waiting for the patch to be released officially. That?s over and done with, but yesterday, Zero Day Initiative released details of another Internet Explorer flaw.


 


According to the announcement of Zero Day Initiative, they first heard of the vulnerability back in October of 2013. It was discovered by Belgian researcher Peter Van Eeckhoutte. The Initiative then immediately alerted Microsoft about the issue.


 


internet-explorer-black-large.png


 


By practice, the Initiative does not release such information to the public for about six months after informing the concerned party. This is to give the latter time to release a patch to address the issue.


 


Since it?s been a while since the Internet Explorer vulnerability has been pointed out to Microsoft, the Initiative gave the company notice on May 8 that they would announce the details to the public. It?s now been weeks since, and still nothing from Microsoft, so now we know. (Maybe Microsoft was too busy with the Surface Pro 3.)


 


Specifically, the vulnerability affects Internet Explorer 8, and ?allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.?


It is rather surprising that Microsoft has not done anything since they were informed of the flaw, especially considering that Internet Explorer 8 still has 20.85% share of the browser market. This is according to Net Market Share?s April report.


 


If you?re using IE 8, just be extra careful about the sites you visit, as the vulnerability requires the user to visit a page designed to take advantage of the flaw. Every link you receive ? via email, chat message, or whatever ? make sure you trust the source. Else, you just might become a victim of this flaw.


 


Source: http://news.filehippo.com/2014/05/another-internet-explorer-zero-day-flaw-exposed/


Link to comment
Share on other sites

:rolleyes:

 

On the front page a week ago https://www.neowin.net/news/microsoft-has-yet-to-fix-a-known-ie8-zero-day-exploit-after-seven-months

 

And for the umpteenth time, this isn't a zero-day attack. Zero-day attacks are vulnerabilities being exploited before said vulnerability is known to the programmers. This is the opposite - the vulnerability is known, but there are currently no known attacks taking place.

  • Like 2
Link to comment
Share on other sites

Irrelevant, support lifecycle for IE is inherited from whatever OS it's running on and the issue should be fixed.

All currently supported versions of the operating systems have newer versions of the browser available, never mind a fair number of sites are dropping support for it as well. Unless you have some sort of corporate intranet site that requires it, no real reason to be even using it anymore. If you're still on XP, well, IE8's dead, switch to another browser, while you still can.

 

When will people learn to use a real browser

Which real browser is it that hasn't had vulnerabilities? I'm game to switch to it, hell even Lynx has had code execution vulnerabilities.
Link to comment
Share on other sites

All currently supported versions of the operating systems have newer versions of the browser available, never mind a fair number of sites are dropping support for it as well. Unless you have some sort of corporate intranet site that requires it, no real reason to be even using it anymore. If you're still on XP, well, IE8's dead, switch to another browser, while you still can.

And as I said above, that's totally irrelevant. 

Link to comment
Share on other sites

And as I said above, that's totally irrelevant.

It's completely relevant as there's no good reason to be actually anymore using it when they've updated it multiple times and major web sites are dropping support for it. And after all that, if you read their report, it lists multiple ways to counter the issue, never mind the report clearly says it still requires user interaction to get the thing to work in the first place... you know, the common sense stuff that's been drilled into peoples heads for years, patches can't cure that.
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.