Seven Month Old IE8 Zero Day Disclosed (And It Won't Be Patched)
In October, HP Tipping Point's Zero Day Initiative notified Microsoft of a use-after-free vulnerability in Internet Explorer 8 that could potentially allow remote code execution by an attacker. According to ZDI, Microsoft confirmed that the reproduced the bug in February, but took no action. ZDI's policy is to disclose unpatched vulnerabilities 180 days after vendor notification, although they waited almost two additional months before disclosing this week.
The Register contacted Microsoft and confirmed that this vulnerability will not be patched
Instead of a patch, Redmond released work-arounds suggesting users harden IE 8 security by changing settings to block and alert use of ActiveX Controls and Active Scripting, and install its Enhanced Mitigation Experience Toolkit (EMET) which makes exploitation of Windows boxes more difficult and expensive.
That is essentially the same advice we gave to the last IE zero day in April, along with the recommendations to get off of XP, and use a different default browser on XP until you do.
It's hard to blame Microsoft. IE8 is the last version supported on XP, but it's three releases out of date an supported platforms. It's time for users to upgrade.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.