UPDATE–Microsoft officials say they’re well aware of the Internet Explorer 8 zero day disclosed Wednesday by the Zero Day Initiative and have been working on a fix for it. However, there’s no stated timeline for releasing that patch.
The vulnerability in IE 8 is a use-after-free bug in the way that the browser handles CMarkup objects. Researcher Peter Van Eeckhoutte of Corelan discovered the vulnerability last year and, through the ZDI, disclosed it to Microsoft in October. The vendor acknowledged the report, but more than six months later, a patch was not forthcoming. So the ZDI published its advisory this week, as per its disclosure guidelines.
The good news in this situation is that the flaw only affects IE 8, an old version of the browser. But it lacks many of the exploit mitigations and other defenses included in the newer versions of IE, making it more vulnerable. Microsoft officials said they’re in the process of building and testing a fix for the vulnerability.
“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We continue to encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections,” a Microsoft spokesperson said.
Microsoft last month produced an emergency patch for a zero day that affected several versions of IE and was being used in targeted attacks.
In a blog post Thursday, Van Eeckhoutte said that he is concerned about the length of time that the vulnerability has gone without a patch, but believes there’s a good reason for the delay.
“The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason. 180 days is a number, a deadline, a commonly accepted period in which most bugs should get patched. Sometimes it works, sometimes it doesn’t,” he wrote.
“Again, only Microsoft knows exactly why. Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things. In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers. I’m sure we can all come up with examples of (small and large) software companies that approach bug reports in a different way.”
This article was updated on May 22 to add the comments from Van Eeckhoutte.