Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE 8 Zero Day Discovered

Posted by samzenpus on from the no-shortage dept.

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

1 of 134 comments (clear)

  1. Re:why are they taking so long? by Jumunquo · · Score: 5, Informative

    From ZDI advisory:
    Vendor Contact Timeline:
    10/11/2013 - Case disclosed to vendor
    02/10/2014 - Vendor confirmed reproduction
    04/09/2014 - Original predicted disclosure (180 days)
    05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
    05/21/2014 - ZDI publicly disclosed

    Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!