Bug bounty program outs 7-month-old IE zero-day

No sign that hackers are exploiting the unpatched vulnerability in IE8; XP users will never see the fix

1 2 Page 2
Page 2 of 2

Microsoft gave no hint today about when it would patch the IE8 bug -- which ZDI said it had confirmed was exploitable on Windows XP and Windows 7 -- or what had kept it from fixing the flaw.

"We build and thoroughly test every security fix as quickly as possible," Microsoft said. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations."

Even when Microsoft patches IE8, it will not issue a fix for the browser on Windows XP, as the 13-year-old OS has exhausted its support. Microsoft retired XP on April 8, but made an exception May 1 when it released a patch for IE on XP. There seems little chance it will make more exceptions.

In lieu of a patch, Windows users, including those running XP, can take several defensive steps, including restricting IE's Active Scripting and installing Microsoft's EMET (Enhanced Mitigation Experience Toolkit) utility. Microsoft provided those recommended steps to ZDI, which included them in its advisory.

Although EMET was originally designed for enterprises and advanced Windows users, Microsoft has been urging other customers to install the toolkit as an important anti-exploit defense.

"EMET will prevent the [proof-of-concept] exploit from achieving arbitrary code execution," said Van Eeckhoutte. "In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints. This case simply re-enforces this. EMET won't stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you're serious about security, install it."

EMET works on Windows XP, and can be downloaded from Microsoft's website.

IE8 remains the most popular version of Internet Explorer, even though it has been superseded by three newer editions. According to Web metrics company Net Applications, IE8 accounted for 36% of all versions of Microsoft's browser in use last month. The newest, IE11, came in second with a 28.7% share.

Microsoft's next regularly-scheduled security updates will be released on June 10.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon