This is the second time in a one-month period that a vulnerability in Microsoft’s Internet Explorer has been exposed. The first one was announced in April, with Microsoft being quick to admit the problem. The company even shared emergency measures that users can take while waiting for the patch to be released officially. That’s over and done with, but yesterday, Zero Day Initiative released details of another Internet Explorer flaw.
According to the announcement of Zero Day Initiative, they first heard of the vulnerability back in October of 2013. It was discovered by Belgian researcher Peter Van Eeckhoutte. The Initiative then immediately alerted Microsoft about the issue.
By practice, the Initiative does not release such information to the public for about six months after informing the concerned party. This is to give the latter time to release a patch to address the issue.
Since it’s been a while since the Internet Explorer vulnerability has been pointed out to Microsoft, the Initiative gave the company notice on May 8 that they would announce the details to the public. It’s now been weeks since, and still nothing from Microsoft, so now we know. (Maybe Microsoft was too busy with the Surface Pro 3.)
Specifically, the vulnerability affects Internet Explorer 8, and “allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
It is rather surprising that Microsoft has not done anything since they were informed of the flaw, especially considering that Internet Explorer 8 still has 20.85% share of the browser market. This is according to Net Market Share’s April report.
If you’re using IE 8, just be extra careful about the sites you visit, as the vulnerability requires the user to visit a page designed to take advantage of the flaw. Every link you receive – via email, chat message, or whatever – make sure you trust the source. Else, you just might become a victim of this flaw.