Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Bug bounty program outs 7-month-old IE zero-day

Gregg Keizer | May 23, 2014
No sign that hackers are exploiting the unpatched vulnerability in IE8; XP users will never see the fix.

Which is not only a good thing, said Van Eeckhoutte, but the way things should work. "I am worried, too, about a 180-day delay to get a bug fixed," he said. "But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days."

Internet Explorer 8 remains the most-used Microsoft browser, although the newer IE11 is quickly gaining ground. (Data: Net Applications.)

Microsoft gave no hint today about when it would patch the IE8 bug -- which ZDI said it had confirmed was exploitable on Windows XP and Windows 7 -- or what had kept it from fixing the flaw.

"We build and thoroughly test every security fix as quickly as possible," Microsoft said. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations."

Even when Microsoft patches IE8, it will not issue a fix for the browser on Windows XP, as the 13-year-old OS has exhausted its support. Microsoft retired XP on April 8, but made an exception May 1 when it released a patch for IE on XP. There seems little chance it will make more exceptions.

In lieu of a patch, Windows users, including those running XP, can take several defensive steps, including restricting IE's Active Scripting and installing Microsoft's EMET (Enhanced Mitigation Experience Toolkit) utility. Microsoft provided those recommended steps to ZDI, which included them in its advisory.

Although EMET was originally designed for enterprises and advanced Windows users, Microsoft has been urging other customers to install the toolkit as an important anti-exploit defense.

"EMET will prevent the [proof-of-concept] exploit from achieving arbitrary code execution," said Van Eeckhoutte. "In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints. This case simply re-enforces this. EMET won't stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you're serious about security, install it."

EMET works on Windows XP, and can be downloaded from Microsoft's website.

IE8 remains the most popular version of Internet Explorer, even though it has been superseded by three newer editions. According to Web metrics company Net Applications, IE8 accounted for 36% of all versions of Microsoft's browser in use last month. The newest, IE11, came in second with a 28.7% share.

Microsoft's next regularly-scheduled security updates will be released on June 10.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.