After seven months and no Microsoft patch, Internet Explorer 8 vulnerability is revealed

Microsoft has failed to address a remotely exploitable security flaw affecting the most widely used version of Internet Explorer.
Written by Liam Tung, Contributing Writer

Microsoft has failed to deliver a fix for a remotely exploitable flaw in Internet Explorer 8, despite being informed of the vulnerability in October 2013.

The bug in Microsoft's browser, discovered by Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte, can be exploited if a user opens a link to a malicious web page (known as a drive-by download) or by opening a booby-trapped email attachment.

Details of the bug were disclosed by HP's Tipping Point Zero-Day Initiative (ZDI), which offers rewards to researchers for reporting bugs. When flaws are found, ZDI handles disclosure to the vendor and, as per its policy, keeps previously-unknown bugs under wraps for 180 days after informing the vendor, given the vendor enough time to develop a patch.

Despite confirming the vulnerability in February, Microsoft has failed to include a fix for the flaw in any of the three Patch Tuesdays that have passed since then.

IE 8's 20.85 percent market share makes it the most widely used browser version in the world, according to Net Market Share figures. On Windows machines, IE 8 accounts for 27 percent of all browsers installed.

Released in 2009, it was the newest version of IE to run on Windows XP, the operating system Microsoft recently cut off support for. The browser is also supported on Vista, Windows 7, and Windows Server 2003, 2008 and 2008 R2.

ZDNet has asked Microsoft whether it will be providing a security fix for the bug and will update the story if it receives an answer. However, a Microsoft spokesperson told ZDNet's sister site CNET that it had not seen the bug being actively exploited.

According to ZDI's technical description, the bug exists within the handling of JavaScript in "CMarkup objects".

"The allocation initially happens within CMarkup::CreateInitialMarkup. The [use after] free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process."

A similar "use-after-free" vulnerability in the CMarkup handled JavaScript was discovered by security vendors this February, which only affected IE 9 and IE 10 but was being exploited in targeted attacks. According to security vendor FireEye, an exploit for the bug was being served from the US Veterans of Foreign Wars' website, which it believed was aimed at US military personnel. Microsoft fixed that bug in its March Patch Tuesday.

The latest security flaw affecting Microsoft's browser follows a serious bug revealed in April that affected all versions of IE, prompting warnings from some governments to use Chrome or Firefox until Microsoft delivered a fix. Microsoft fixed that bug fairly swiftly in May, and provided a patch for XP despite officially no longer supporting the OS.

Update at 2:00pm ET: A Microsoft spokesperson said in an emailed statement to ZDNet that it was aware of the publicly disclosed issue and the company has not detected any incidents affecting its customers. 

The spokesperson added:

"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections."

Read more in Internet Explorer

Editorial standards