In October, HP Tipping Point's Zero Day Initiative notified Microsoft of a use-after-free vulnerability in Internet Explorer 8 that could potentially allow remote code execution by an attacker. According to ZDI, Microsoft confirmed that the reproduced the bug in February, but took no action. ZDI's policy is to disclose unpatched vulnerabilities 180 days after vendor notification, although they waited almost two additional months before disclosing this week.
The Register contacted Microsoft and confirmed that this vulnerability will not be patched
Instead of a patch, Redmond released work-arounds suggesting users harden IE 8 security by changing settings to block and alert use of ActiveX Controls and Active Scripting, and install its Enhanced Mitigation Experience Toolkit (EMET) which makes exploitation of Windows boxes more difficult and expensive.
That is essentially the same advice we gave to the last IE zero day in April, along with the recommendations to get off of XP, and use a different default browser on XP until you do.
It's hard to blame Microsoft. IE8 is the last version supported on XP, but it's three releases out of date an supported platforms. It's time for users to upgrade.