Microsoft has yet to fix a known IE8 zero-day exploit after seven months

Internet Explorer 8 is still the world's most used web browser, according to Net Applications. Now there's word of a zero-day exploit that was found in IE8 seven months ago but so far it has yet to be addressed by Microsoft in any of its recent updates for the browser.

The security hole was revealed publicly this week by the Zero-Day Initiative. It says that the flaw will allow hackers  "to execute arbitrary code" in the browser if users surf to an infected website or open a file designed to take advantage of the exploit.

Microsoft was informed about the zero-day flaw in October 2013 but has yet to close the security hole. CNET got a statement from a Microsoft spokesperson who said there is no evidence of the flaw being used out in the wild. The spokesperson added:

We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations.

There's no word yet on when Microsoft will issue a patch to close the hole in IE8. Currently, Net Applications says that IE8 is being used by 21.14 percent of the world's web browser users.

Source: Zero-Day Initiative and CNET | Image via Microsoft

Report a problem with article
Previous Story

Powerstar Golf for Xbox One now free to download, but is it a mistake? [Update]

Next Story

Surface Pro 3: A four hour plane ride and a test of lapability

35 Comments

View more comments

You have to remember, this is John Callaham. He will sensationalize anything that makes Microsoft look bad. I still can't understand why they let him write so many anti-Microsoft articles.

link8506 said,

+1

furthermore, it is very common for security flaws to take months to be patched when they are not being exploited in the wild.

typically, apple takes more than a year to patch flaws in Safari after they have been patched in chrome.

even google and Mozilla often take between 3 and 10 months to fix critical flaws (unless these flaws comes from the pwn2own contest, in which case they are patched very quickly to give the impression that every flaw is patched within 24h of its discovery, which is basically just a marketing move)

so there is nothing newsworthy here. Every big browser maker is slow at patching flaws when there is no exploit in the wild.


Citation?

Mozilla patches pretty quickly and 6 weeks is the longest unless hackers are using it in the wild.

Google is even more aggressive and regularly updates Chrome even between versions to cover patches

JonathanMarston said,
This is not a zero-day vulnerability. A zero-day vulnerability is one that is being exploited in the wild prior to being publicly known. This one is publicly known, and there are no known exploits. Therefore it's just a plain old fashioned known vulnerability.

Nice job with the sensationalist article though. Page views down this month?

You're confusing an attack with a vulnerability. Zero-day means different things to different people but in general it mean something that's not patched yet.

"A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a "zero-day exploit"."
http://en.wikipedia.org/wiki/Zero-day_attack

And yes, this is news because MS has known about this since OCT 2013 and hasn't patched it.

Why is this even an article, about a browser that's 3 versions behind the present one? John, how about writing about your precious Apple iPhone's iMessage fiasco? No, that would never happen, right?

Because it's NeoWIN, a Windows centric website and people bitch if there's too much Apple news. Damned if you do, damned if you don't.

I agree, it should be more about Windows news. But we should have less Microsoft-bashing articles about a vulnerability that's incorrectly labeled (Zero-Day? JC has no idea what that means obviously), and is from a writer that frequently puts a negative spin on anything about Microsoft.

devHead said,
I agree, it should be more about Windows news. But we should have less Microsoft-bashing articles about a vulnerability that's incorrectly labeled (Zero-Day? JC has no idea what that means obviously), and is from a writer that frequently puts a negative spin on anything about Microsoft.

Because MS deserves it. Especially after IE 6. I know this is a pro MS website, however IE is not one of their fine products. Saying we are sorry we screwed up here is IE 9 see we are standards compliant and secure now! See we support 1998 css 2.1 and are up to 2008 Chrome 1 and ff 3.5 and can take up to a month to close holes when competitors do it within days to weeks is inexcusable!

Business relies on IE 8 for credit cards, hippa, and other sensitive data.

Yes it is bashed and ask a webmaster what they think of IE if you don't believe me? It's late to the party and this is the 3rd exploit where MS knew and didn't fix.

devHead said,
I agree, it should be more about Windows news. But we should have less Microsoft-bashing articles about a vulnerability that's incorrectly labeled (Zero-Day? JC has no idea what that means obviously), and is from a writer that frequently puts a negative spin on anything about Microsoft.

We used to have these articles all the time. Remember when Mozilla was a champion at bug fixing and Microsoft waited... and waited... and waited... and waited....? Things have gotten a lot better, but they don't continue getting better if we close our lips and say, "Yeah, we're okay with complacency."

Also, what about all the articles where he gives them praise or that are neutral? Or are we going to just disregard those articles? I'm lost because it seems like you guys just want to hate on him whenever it suits you. Be consistent or maybe start submitting news you want to see.

This is a browser that is 3 versions old. How many versions back does Mozilla or Google or Apple support patches for their older browsers, esp. when there are no active exploits?

Been testing IE 11 at work and so far if a site does not work in it, the enhanced Compatibility View has fixed every problem. Java compatibility is far harder to fix, mostly you just have to point the older URL to an older Java runtime via rules sets but that is vulnerable to DNS spoofing.

Yet another reason not use IE until Microsoft takes security more seriously. Chrome supports lowrights mode where even access to the file system is prohibited and sandboxing.

sinetheo said,
Yet another reason not use IE until Microsoft takes security more seriously. Chrome supports lowrights mode where even access to the file system is prohibited and sandboxing.

You know a lot of programs uses Trident (IE's rendering engine) to work even you don't use IE and stay on one outdated IE?

sinetheo said,
Yet another reason not use IE until Microsoft takes security more seriously. Chrome supports lowrights mode where even access to the file system is prohibited and sandboxing.

What did the Chrome browser 3 versions back support?

Today all the latest browsers (well, maybe not Safari) are about equally secure. And if you want you can install EMET to mitigate security issues with all versions of IE.

Max Norris said,
This is why people shouldn't use software that's three versions out of date, be it their browser or their OS.

XP users don't have a choice thanks to Microsoft's decision to abandon IE on older OS'. Besides, IE zero-day exploits don't just target older versions. Many of them have targeted all the popular versions, including Windows 8.

Rann Xeroxx said,

Should someone use FireFox that is 3 versions old?

Why would they? It's not as if Mozilla abandons users like Microsoft does with IE.

simplezz said,
XP users don't have a choice thanks to Microsoft's decision to abandon IE on older OS'. Besides, IE zero-day exploits don't just target older versions. Many of them have targeted all the popular versions, including Windows 8.

They've retired IE 8 on XP, as well as XP itself. It's just as bad as sticking with Firefox 3 on Ubuntu 7.10. Don't have high expectations of having exploits patched.. stick with a dead browser on a dead platform, better be ready to deal with the consequences.

simplezz said,
Besides, IE zero-day exploits don't just target older versions. Many of them have targeted all the popular versions, including Windows 8.

And when found they do get patched, if the browser is still actively supported and not dead. Just like any other browser when it gets exploits... I wouldn't expect an old version of Chrome, Firefox, etc to get patched either ;)

For those being smart saying "who uses IE8 anymore" or "Never use IE" you have to realize that us tech heads make up a very very small amount of the computer users out there and the majority of people just click the blue e to get on the internet.
The fact this hasn`t been patched yet is a bit worrying but i`ll take MSFT`s word that it isn`t being used in the wild.
I personally still think it should have been patched before Xp wen`t EOL, but that`s just me!

Riggers said,
For those being smart saying "who uses IE8 anymore" or "Never use IE" you have to realize that us tech heads make up a very very small amount of the computer users out there and the majority of people just click the blue e to get on the internet.
The fact this hasn`t been patched yet is a bit worrying but i`ll take MSFT`s word that it isn`t being used in the wild.
I personally still think it should have been patched before Xp wen`t EOL, but that`s just me!

"For those being smart saying "who uses IE8 anymore" or "Never use IE" you have to realize that us tech heads make up a very very small amount of the computer users out there and the majority of people just click the blue e to get on the internet."

^
This exactly!

If you are a company and still on something older than IE9, you are not investing properly in your IT department. Upgrading to 9 is far less painful than previous IE updates and you can run some sites in compatibility mode if need be (but really this just allows app owners slack and they will never update their software or replace it, better off not allowing it).

If you are an individual, there is no reason to be using an older version of IE (and no reason to use XP BTW). Heck, move to Linux if you can't afford a new $250 laptop to upgrade everything. Running Chrome on XP is just a stop gap as the OS is wide open for attack.

But with that said, I don't fault MS for not patching this as I think they should put their resources where they are needed and fix it if it becomes an issue. What I fault MS on is tieing versions of IE to the OS. Why can't XP install IE9? Why can't W7 install IE10 (oddly they can install 11)? Separate whatever it is that is buried in the OS from the browser and let the browser stand on its own. Better yet, start making IE for Mac OS and Linux again. Truly be a new Microsoft.

Commenting is disabled on this article.