14 DAY TRIAL // HP's Zero Day Initiative yesterday revealed a new zero-day security flaw in Internet Explorer 8, explaining that the bug was first disclosed to Microsoft in October 2013 and because of its 180-day disclosure deadline, it decided to release a public advisory on this.
We've reached out to Microsoft for some official comments on this and a company spokesperson told us in a statement that there's indeed a zero-day flaw in Internet Explorer 8, but no consumer has been affected until now.
A patch is also in the works right now, the company explained, but it's not yet clear whether it wants to release an out of band fix or wait until Patch Tuesday next month.
Here's the official statement provided to us by a Microsoft spokesperson:
“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”
The Corelan Team, who has actually discovered the flaw, said in a post today that consumers are still on the safe side because it only disclosed an advisory and not the bug per se, which basically means that everyone is now aware that there's a flaw in Internet Explorer, but they do not have the exploit.
The team also explained why it decided to make the advisory public, even though it previously contacted Microsoft to let them know about the security flaw.
“The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason. 180 days is a number, a deadline, a commonly accepted period in which most bugs should get patched. Sometimes it works, sometimes it doesn’t,” the team explained.
“Again, only Microsoft knows exactly why. Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.”
Internet Explorer 8 is the only affected version of Microsoft's in-house browser, which means that users running Windows 7, Windows 8 and 8.1 are fully protected. Modern versions of Microsoft's operating systems are running Internet Explorer 10 and 11, but on the other hand, those still on Windows XP could become vulnerable to attacks in case a flaw is found.
Microsoft is no longer releasing patches and security updates for Windows XP, so even if the company decides to roll out a fix for this zero-day flaw, users running the old version of the operating system are very likely to remain vulnerable.