Microsoft has failed to deliver a fix for a remotely exploitable flaw in Internet Explorer 8, despite being informed of the vulnerability in October 2013.
The bug in Microsoft's browser, discovered by Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte, can be exploited if a user opens a link to a malicious web page (known as a drive-by download) or by opening a booby-trapped email attachment.
Details of the bug were disclosed by HP's Tipping Point Zero-Day Initiative (ZDI), which offers rewards to researchers for reporting bugs. When flaws are found, ZDI handles disclosure to the vendor and, as per its policy, keeps previously-unknown bugs under wraps for 180 days after informing the vendor, given the vendor enough time to develop a patch.
Despite confirming the vulnerability in February, Microsoft has failed to include a fix for the flaw in any of the three Patch Tuesdays that have passed since then.
IE 8's 20.85 percent market share makes it the most widely used browser version in the world, according to Net Market Share figures. On Windows machines, IE 8 accounts for 27 percent of all browsers installed.
Released in 2009, it was the newest version of IE to run on Windows XP, the operating system Microsoft recently cut off support for. The browser is also supported on Vista, Windows 7, and Windows Server 2003, 2008 and 2008 R2.
ZDNet has asked Microsoft whether it will be providing a security fix for the bug and will update the story if it receives an answer. However, a Microsoft spokesperson told ZDNet's sister site CNET that it had not seen the bug being actively exploited.
The latest security flaw affecting Microsoft's browser follows a serious bug revealed in April that affected all versions of IE, prompting warnings from some governments to use Chrome or Firefox until Microsoft delivered a fix. Microsoft fixed that bug fairly swiftly in May, and provided a patch for XP despite officially no longer supporting the OS.
Update at 2:00pm ET: A Microsoft spokesperson said in an emailed statement to ZDNet that it was aware of the publicly disclosed issue and the company has not detected any incidents affecting its customers.
The spokesperson added:
"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections."