After seven months and no Microsoft patch, Internet Explorer 8 vulnerability is revealed

After seven months and no Microsoft patch, Internet Explorer 8 vulnerability is revealed

Summary: Microsoft has failed to address a remotely exploitable security flaw affecting the most widely used version of Internet Explorer.


Microsoft has failed to deliver a fix for a remotely exploitable flaw in Internet Explorer 8, despite being informed of the vulnerability in October 2013.

The bug in Microsoft's browser, discovered by Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte, can be exploited if a user opens a link to a malicious web page (known as a drive-by download) or by opening a booby-trapped email attachment.

Details of the bug were disclosed by HP's Tipping Point Zero-Day Initiative (ZDI), which offers rewards to researchers for reporting bugs. When flaws are found, ZDI handles disclosure to the vendor and, as per its policy, keeps previously-unknown bugs under wraps for 180 days after informing the vendor, given the vendor enough time to develop a patch.

Despite confirming the vulnerability in February, Microsoft has failed to include a fix for the flaw in any of the three Patch Tuesdays that have passed since then.

IE 8's 20.85 percent market share makes it the most widely used browser version in the world, according to Net Market Share figures. On Windows machines, IE 8 accounts for 27 percent of all browsers installed.

Released in 2009, it was the newest version of IE to run on Windows XP, the operating system Microsoft recently cut off support for. The browser is also supported on Vista, Windows 7, and Windows Server 2003, 2008 and 2008 R2.

ZDNet has asked Microsoft whether it will be providing a security fix for the bug and will update the story if it receives an answer. However, a Microsoft spokesperson told ZDNet's sister site CNET that it had not seen the bug being actively exploited.

According to ZDI's technical description, the bug exists within the handling of JavaScript in "CMarkup objects".

"The allocation initially happens within CMarkup::CreateInitialMarkup. The [use after] free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process."

A similar "use-after-free" vulnerability in the CMarkup handled JavaScript was discovered by security vendors this February, which only affected IE 9 and IE 10 but was being exploited in targeted attacks. According to security vendor FireEye, an exploit for the bug was being served from the US Veterans of Foreign Wars' website, which it believed was aimed at US military personnel. Microsoft fixed that bug in its March Patch Tuesday.

The latest security flaw affecting Microsoft's browser follows a serious bug revealed in April that affected all versions of IE, prompting warnings from some governments to use Chrome or Firefox until Microsoft delivered a fix. Microsoft fixed that bug fairly swiftly in May, and provided a patch for XP despite officially no longer supporting the OS.

Update at 2:00pm ET: A Microsoft spokesperson said in an emailed statement to ZDNet that it was aware of the publicly disclosed issue and the company has not detected any incidents affecting its customers. 

The spokesperson added:

"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections."

Read more in Internet Explorer

Topics: Security, Browser, Microsoft

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Final Solution

    For IE is for Microsoft to release a kill switch patch that permanently kills it. Then they should fire the entire IE team. Just give up already... let FF and Chrome take the heat.
    • It's 3 versions old.

      Are you seriously saying that every open source project patches every bug going back three versions? Give us a break.
      • Few open source projects aren't sitting on billions of dollars U.S. of cash

        If Microsoft is incapable of properly maintaining older software releases, in this case Internet Explorer 8, then it should end support and automatically upgrade users systems to a more recent version of the software in question.

        P.S. There were three (3) supported versions of OpenSSL and only the most recent was subject to the Heartbleed vulnerability.
        Rabid Howler Monkey
        • Few open source projects *are* sitting on billions of dollars U.S. of cash

          Please note the subject modification.
          Rabid Howler Monkey
        • As far as SSL

          That bug was due to a last minute modification to support a new feature, as I understand it. It therefore didn't exist 3 major versions back, and so isn't a fair comparison other than being a cautionary tale about blindly jumping on the "next great thing".
          • Your post implied that open source software

            does not provide support for multiple versions. This is simply not true.

            If the Heartbleed vulnerability would have been present in all three (3) OpenSSL versions, every one of them would have been promptly patched. It would not have taken over seven (7) months as in this most recent IE example.

            As an additional open source example, the Linux kernel project supports multiple kernel versions. And they all get patched if the vulnerability touches the oldest among them. Distros such as RHEL and SUSE Linux backport patches to older kernel versions no longer supported by the Linux kernel project.
            Rabid Howler Monkey
          • Linux

            And when Linux has a marketshare on personal computers beyond 1%, that will be a valid argument.
          • Thanks, alissa914, for your support

            According to hitlinks, the GNU/Linux desktop broke through 1% marketshare sometime before May, 2012:


            And according to statcounter, the GNU/Linux desktop broke through 1% marketshare in April, 2013.

            Thus, my argument is valid. Woo-hoo!!!
            Rabid Howler Monkey
    • No they shouldn't

      Why should they give up when their current browser is better than the others in some aspects?
      Michael Alan Goff
      • because

        Then all the bugs reported will be on FF and Chrome and twits will see reality.
    • Chrome - the most insecure browser on the market.

      Chrome had more CVE security exploits in 2012 than all MS products combined. Chrome was at the top of the list last year, and FF was not far behind. And neither work well for most apps in a corporate environment.
      • 2013 most vulnerable systems & software: It's not just Internet Explorer

        2013 most vulnerable systems & software: It's not just Internet Explorer

        “When it boils down to browsers, Internet Explorer was extremely vulnerable in the same manner as Java -- but Google Chrome was the third most vulnerable piece of software in 2013, increasing its vulnerability rating by 43 points. Mozilla's Firefox, however, did rather well last year, bringing down its number of vulnerabilities to 149”
  • So much for that "proprietary software is more secure" crap.

    Took them almost 7 months to patch after being told about it.

    Wonder how long that was in the code before being reported...
    • no Software is secure

      because Software Engineering has never seriously addressed the Software Development tools. There are many known vulnerabilities that could be eliminated completely if appropriate steps were taken in the compilers. If vulnerability analytics were used and folded back into tools further advancements could be made rapidly. its an industry travesty that this situation perpetuates as it does. Frankly its professional negligence.

      FOSS or OSS is no more secure than any other and anyone who says it is, is a liar.
      • Real Issue

        The real issue is MS has know about for over 6 months and apparently has done nothing to fix it.
        • its patched.

          You just need to download the patch called ie9 or greater
          • Wow, voted up?

            How about for Windows Server 2003, ace?
            Rabid Howler Monkey
          • Why

            Why are you browsing on a server OS? That should be locked down to local pages only.
            Rann Xeroxx
          • Now now...

            ...there's absolutely ZERO cause for the use of logic in this argument, this is an emotionally charged issue and therefore all responses and suggestions must be equally emotional and foolish in nature. ;)
          • Polly wolly doodle all the day

            Do you have any pearls of wisdom to contribute to this discussion?
            Rabid Howler Monkey