Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE 8 Zero Day Discovered

Posted by samzenpus on from the no-shortage dept.

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

6 of 134 comments (clear)

  1. Re:why are they taking so long? by Jumunquo · · Score: 5, Informative

    From ZDI advisory:
    Vendor Contact Timeline:
    10/11/2013 - Case disclosed to vendor
    02/10/2014 - Vendor confirmed reproduction
    04/09/2014 - Original predicted disclosure (180 days)
    05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
    05/21/2014 - ZDI publicly disclosed

    Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

  2. Re:why are they taking so long? by Anonymous Coward · · Score: 5, Interesting

    You forgot to add to your timeline:

    4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

    Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

  3. Re:IE EIGHT? by xlsior · · Score: 5, Interesting

    Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

  4. American Date Format by labnet · · Score: 5, Insightful

    American Date Format :DIE Already!!!!!!!!!!!
    American Imperial Units: DIE Already!!!!!!!!!!
    American Imperialism : .....[shhh the nsa is listening]

    --
    46137
    1. Re:American Date Format by QuasiSteve · · Score: 5, Insightful

      Remember, Remember, November 5th.

      This day, July 4th, is our Independence Day.

      Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

      But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

  5. It is not a zero day. by 140Mandak262Jamuna · · Score: 5, Funny

    According to the timeline it is a -180 day.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact