New IE 8 Zero Day Discovered

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

Enough already

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

October?!

[anarkhos]

Can't Balmer spare any developers developers developers?

Re:why are they taking so long?

[Billly+Gates]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

It is not a zero day.

[140Mandak262Jamuna]

According to the timeline it is a -180 day.

Re:Don't blink this time MS

Fuck you! XP FOREVER!!!!!

Re:why are they taking so long?

[lennier1]

The NSA probably wanted more time to exploit it.