Microsoft Lets Zero-day Exploit Linger for Seven Months

Microsoft has reportedly known about the IE 8 flaw for about seven months
Microsoft has reportedly known about the IE 8 flaw for about seven months

Microsoft officials are at work on a patch for an Internet Explorer 8 zero-day vulnerability disclosed this week by the Zero Day Initiative. Microsoft has actually known about the flaw for about seven months, potentially putting millions at risk.

The vulnerability in IE 8 exists within the handling of CMarkup objects, and allows remote attackers to execute arbitrary code after the target visits a malicious page or opens a malicious file. The attacker who successfully exploits the flaw can gain the same user rights as the current user.

Researcher Peter Van Eeckhoutte of Corelan originally discovered the vulnerability, and ZDI alerted Microsoft to it last October. The vendor acknowledged the report at the time but didn’t patch it, prompting ZDI to publish a public advisory.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerability through Internet Explorer, and then convince a user to view the website via social engineering, using an email or chat message. An attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements: these can be made to contain specially crafted content to exploit the flaw.

A Microsoft spokesperson confirmed that it’s working on a fix for the vulnerability:

“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers.”

In terms of mitigations in the meantime, the flaw only affects IE 8, so an upgrade to the latest version of the browser is a no-brainer. However, IE8 is the last version that’s supported on Windows XP, the operating system that Microsoft is now no longer issuing updates for. So, XP users have no fix to look forward to and should upgrade their OS entirely.

Also, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Also, by default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the “restricted sites” zone. The zone disables script and ActiveX controls, and helps reduce the risk of an attacker being able to use these vulnerabilities to execute malicious code.

IE has been hot lately: Microsoft recently patched a previously unknown use-after-free vulnerability after an exploit that leverages a well-known Adobe Flash issue was being used in targeted attacks, including against XP users.

What’s hot on Infosecurity Magazine?