New IE 8 Zero Day Discovered

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

Re:why are they taking so long?

[Jumunquo]

From ZDI advisory:
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed

Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

Re:why are they taking so long?

You forgot to add to your timeline:

4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

IE8 Last for Windows XP

[BBCWatcher]

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

Re:IE EIGHT?

[xlsior]

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

American Date Format

[labnet]

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

Re:American Date Format

[harperska]

Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

Re:American Date Format

[QuasiSteve]

Remember, Remember, November 5th.

This day, July 4th, is our Independence Day.

Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

Re:American Date Format

[Dynedain]

Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

Re:American Date Format

[compro01]

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

Re:American Date Format

[gl4ss]

third of the fifth? or fifth day of the third?

month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

It is not a zero day.

[140Mandak262Jamuna]

According to the timeline it is a -180 day.

Don't blink this time MS

[Dega704]

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.

Re:why are they taking so long?

[lennier1]

The NSA probably wanted more time to exploit it.

Re:IE EIGHT?

[xlsior]

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.