Microsoft leaves serious flaw in Internet Explorer unpatched for 8 months
It turns out that a serious leak in Internet Explorer 8 was discovered months ago that has not yet been fixed. The vulnerability was disclosed by the Zero Day Initiative, which says the vulnerability allows remote code execution with the privileges of the logged-in user.
Microsoft was notified of the vulnerability by security firm TippingPoint in October 2013, but has not yet patched it. Earlier this month, the Zero Day Initiative informed the group that it would start publishing, which has since happened. ZDI’s policy is to release details about vulnerabilities if they are not fixed within 180 days.
The vulnerability can be exploited by malicious parties through self-created or acquired websites. The abuse can lead to the execution of code with the rights of the logged in user, which in the worst case can lead to complete takeover of a system. Internet Explorer 8 is available for Windows XP, Windows Vista, and Windows 7.
In any case, there will be no more patch for the former. It is not clear why Microsoft has not released a patch for the other Windows versions. “Some fixes are more complex than others,” the company told Cnet. There are no known instances of actual exploitation of the vulnerability at the company.