Still no patch for 7-month-old IE8 zero-day flaw

HP’s Zero Day Initiative has published details about a zero-day vulnerability affecting Microsoft Internet Explorer 8 which the Redmond giant apparently has no intention to fix.

“The specific flaw exists within the handling of CMarkup objects,” the Initiative shared. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file… An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability was discovered in by Peter “corelanc0d3r” Van Eeckhoutte, a member of a non-profit group of IT security researchers dubbed Corelan Team.

The existence of the flaw has been disclosed to Microsoft in October 2013, and they confirmed it. But, as the company hasn’t moved to fix it in the seven or so months that have since passed, it must be assumed that they chose against it.

Instead, they offered some workarounds:

• Set Internet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
• Install EMET, The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.

ZDI also advises users to be careful when clicking on links or opening attachments sent through email, and to configure their accounts to have fewer user rights on the system.

The good news is that the default settings in all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail, as well as the default Enhanced Security Configuration in Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 mitigate this type of vulnerability.

UPDATE: Even though they’ve been aware of the vulnerability for 7 months, Microsoft is apparently planning to fix this vulnerability, at some point in the future, after all.

A Microsoft spokesperson told us the following: “We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”