Internet Explorer 8 is affected by a new security flaw

May 22, 2014 07:00 GMT  ·  By

Security researchers have found another zero-day flaw in Internet Explorer that basically exposes users and makes their computers vulnerable to attacks unless it's patched as soon as possible.

The flaw was discovered by HP's Zero Day Initiative, which claims it first contacted Microsoft in October, but the software giant is yet to release a patch. ZDI, which according to its own policy can publicly disclose a security vulnerability 180 days after it contacted the parent company, claims that the zero-day flaw affects Internet Explorer 8 on the majority of Windows versions, including Windows XP.

Microsoft pulled the plug on Windows XP on April 8, so when Microsoft releases a patch to address this flaw, users that are yet to update to a newer OS version could remain vulnerable to attacks.

According to the advisory published a few hours ago, it all comes down to the way Internet Explorer works with Cmarkup objects and the vulnerability would allow an attacker to easily run arbitrary code on a target computer.

“The allocation initially happens within CMarkup::CreateInitialMarkup. The free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,” ZDI explains in today's advisory.

Just like it usually happens with Internet Explorer vulnerabilities, attackers need a compromised website to break into an affected system that's yet to receive the patch.

“These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by getting them to open an attachment sent through email,” ZDI said.

Microsoft hasn't yet provided details on the vulnerability, but expect the company to come up with at least a Fix It solution in the coming weeks until a full-time patch is being released.

We've also reached out to Microsoft for more information on the new zero-day flaw, so we're still waiting for details to find out exactly which versions of IE are affected and how users can remain protected.

Update: Microsoft has confirmed the zero-day flaw and promised that a fix is coming.